VMware vulnerability

VMware Users Urged to Patch Critical RCE Vulnerability

Threat Overview 

VMware disclosed on Tuesday, May 25 that it had released patches for a critical security vulnerability found in their vCenter Server and VMware Cloud Foundation products. Multiple vulnerabilities in the vSphere Client (HTML5) were reported privately to the company according to their advisory. Currently, vCenter Server 6.5, 6.7, and 7.0 are affected.  

The company has urged its customers to apply patches to address the following vulnerabilities: 

CVE-2021-21986
  • Description: A remote code execution (RCE) vulnerability in the Virtual SAN (vSAN) Health Check plug-in which is enabled by default in Center. 
  • Known Attack Vector: Allows a malicious actor with access to port 443 to run arbitrary code and execute commands with unrestricted privileges on the operating system hosting vCenter Server.  
  • Criticality: VMware has assessed this issue to be a critical severity with a CVSSv3 base score of 9.8. 
  • Important Note: The vSAN plug-in is enabled by default in all vCenter Server deployments, whether it is in use or not. So, even those who do not actively use the vSAN plug-in are affected. 
CVE-2021-21986
  • Description: Vulnerability in a vSphere authentication mechanism for the vSAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. 
  • Known Attack Vector: Allows a malicious actor with access to port 443 to perform actions allowed by the above plug-ins without authentication. 
  • Criticality: VMware has assessed this issue to be a moderate severity with a CVSSv3 base score of 6.5. 

What Does This Mean to Our Partners? 

VMware’s Frequently Asked Questions (FAQ) page on this security advisory explains that organizations employing vCenter Servers on internet-connected networks should perform system audits for signs of compromise immediately. The identified vulnerabilities could be exploited by malicious actors if they have network access to port 443.  

The company recommends the following actions: 

  • Establish additional perimeter security controls (firewalls, ACLs, etc.) on virtualization infrastructure management interfaces. 
  • Consider implementing additional security controls, network segmentation in their IT infrastructure, and zero-trust security strategies. 

Actors using ransomware are known for performing weeks, sometimes months, of silent and undetected reconnaissance work. During this phase, they spread laterally through networks and wait for the right opportunity or even a new vulnerability to appear before striking. With RCE vulnerabilities, actors can reach the affected software over a network (such as the vCenter Server) and run malicious code on it to bypass any security controls in place.  

How to Protect Yourself and Your Clients 

VMware is tracking this security advisory as VMSA-2021-0100 and has provided details, workarounds, and resource links in this blog post. For users who are not able to perform patches right away, VMware has published this Knowledge Base article to provide instructions on how to disable the affected plug-ins in vCenter Server.  

Cyberattacks involving ransomware are quickly becoming the main event in today’s threat landscape. With more organizations finding themselves the target of ransomware attacks, do not wait to strengthen your network security. Blackpoint Cyber’s experienced Managed Detection & Response (MDR) team responds 24/7/365 to critical threats by isolating infected devices and terminating malicious software, immediately helping to eradicate a malicious actor’s foothold in your network. Further, our patented SNAP-Defense Security Operations & Incident Response platform allows us to detect lateral movement in its earliest stages and then neutralize threats before they have a chance to spread. 

Contact us today and rest easy knowing that our team keeps you and your clients safe from even the most advanced threats. 

Get More Information 

BlackPoint Cyber