Cybersecurity Threat Advisory 0035-21: VMWare vCenter Critical RCE Vulnerability
VMware is a virtualization and cloud computing vendor which is used worldwide by many different companies. Recently, VMware announced that they were informed of two vulnerabilities which affect certain versions of its vCenter service. Successful exploitation of these vulnerabilities could allow an attacker to obtain remote control of a device. SKOUT recommends ensuring that all devices are updated to their latest versions, to allow for security patches to be implemented.
Technical Detail & Additional Information
WHAT IS THE THREAT?
There are two vulnerabilities that VMware was informed about, both of which have been patched.
CVE-2021-21985 – Remote Code Execution Vulnerability
- This vulnerability exists in the vSAN plugin, which is enabled by default in vCenter. An attacker could potentially use this to execute remote commands, which would enable them to run anything they wanted on a vulnerable device.
CVE-2021-21986 – Attackers Can Perform Actions Without Authentication
- This vulnerability exists in the vSphere Client, which is an authentication mechanism used by VMware. If exploited, an attacker could perform actions on a device without needing to be authenticated.
WHY IS IT NOTEWORTHY?
Thousands of individuals and businesses use and trust VMware products. Being these products are so widely used, the scope for potential targets on which attackers could exploit vulnerabilities is large. Attackers look out for these types of vulnerabilities and look to exploit them, so it is very important to keep services updated regularly. This is to apply patches that are made specifically to prevent these vulnerabilities from being exploited.
WHAT IS THE EXPOSURE OR RISK?
The exploits listed above could potentially allow attackers to escalated privileges, bypass authentication, or execute remote code, amongst other potential threats. These vulnerabilities could lead to several possible compromises, such as denial of service attacks, and even complete system compromises. In many cases, IT users who could have high end admin access will rely on virtual machines for different parts of their job. If one of these machines was compromised, attackers could gain access to sensitive information by executing arbitrary system commands and even create/delete files. Many companies rely on VMware machines remaining private and being able to use these machines to conduct everyday business. These vulnerabilities put these expectations at potential risk if they are exploited by attackers, so it is very important to ensure that they are patched.
WHAT ARE THE RECOMMENDATIONS?
VMware has released patches for these vulnerabilities. They say they affect vCenter Server versions 6.5, 6.7, and 7.0. SKOUT recommends immediately updating any devices running those versions to allow for the proper patches to be applied.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.