eSentire White Logo

Security advisories | Feb 24, 2021

VMware Remote Code Execution Vulnerability 

THE THREAT

On February 23rd, 2021, VMware disclosed a critical vulnerability impacting vCenter Servers. The vulnerability, tracked as CVE-2021-21972, allows for remote code execution and if exploited, could result in the full compromise of affected systems. Abuse of this vulnerability does not require authentication or user interaction.

Exploitation of CVE-2021-21972 has not been identified in the wild at this time. Due to the ease of exploitation and high severity (9.8/10), it is likely that threat actors will abuse this vulnerability in the near future. Organizations are recommended to apply the official VMware patch as soon as possible.

What we’re doing about it

  • MVS will automatically add the relevant plugins for CVE-2021-21972 once details are made available
    • MVS customers seeking assistance with their review or scans, please contact your MVS consultant or the eSentire Security Operations Center (SOC)
  • eSentire security teams continue to track this topic for additional details and detection opportunities

What you should do about it

  • After performing a business impact review, apply the VMware patches to vulnerable systems
  • If patching is not possible, apply the VMware workaround until patches are fully deployed

Additional information

CVE-2021-21972 is due to issues found in the vSphere Client (HTML5) in vCenter Server plugin. Confirmed impacted vCenter Servers include versions 6.5, 6.7, and 7.

Proof-of-Concept (POC) code and technical details for CVE-2021-21972 were released on February 24th. This release will decrease the amount of time before exploitation occurs in the wild.

In an attack scenario, a threat actor with network access to port 443 could exploit this issue. The threat actor would then be able to execute commands on the vulnerable system with unrested privileges. No previous authentication or privileges are required.

In the same release, VMware announced patches for two other vulnerabilities:

  • CVE-2021-21974 (8.8) - Heap-overflow vulnerability in ESXI
  • CVE-2021-21973 (5.3) - Server-Side Request Forgery (SSRF) vulnerability in the vCenter Server

References:

[1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html

[2] https://kb.vmware.com/s/article/82374

[3] https://swarm.ptsecurity.com/unauth-rce-vmware/