Critical Vulnerabilities in VMware ESXi and vCenter Server (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)

The of these vulnerabilities is identified as CVE-2021-21972 and classified as critical. It allows remote code execution on the underlying operating system when the vSphere Client (HTML5) can be accessed over the network. This vulnerability is found in a vSphere Client (HTML5) plugin installed by default on the server.

To exploit this vulnerability, a malicious actor must execute commands through the affected server’s vulnerable URL.

The affected versions and their security fixes are as follows:

ProductVersionCVSSv3SeverityFixed Version
vCenter Server7.09.8Critical7.0 U1c
vCenter Server6.79.8Critical6.7 U3l
vCenter Server6.59.8Critical6.5 U3n

The next vulnerability is classified as important and identified as CVE-2021-21974. A malicious actor who has access to ESXi hypervisor TCP/UDP port 427 can remotely execute code by performing a heap-overflow attack in the OpenSLP service.

The affected versions and their security fixes are as follows:

ProductVersionCVE IdentifierCVSSv3Fixed version
ESXi7.0CVE-2021-219748.8ESXi70U1c-17325551
ESXi6.7CVE-2021-219748.8ESXi670-202102401-SG
 ESXi6.5CVE-2021-219748.8ESXi650-202102101-SG

The third vulnerability is identified as CVE-2021-21973, it is classified as moderately critical, and found in a vSphere Client (HTML5). According to VMware, it is possible to perform an SSRF (Server-Side Request Forgery) attack through an improperly validated URL on the vCenter server-side.

To exploit the vulnerability, a malicious actor needs access to port 443 to send a POST request to the vulnerable URL.

Both the CVE-2021-21972 and the CVE-2021-21973 vulnerabilities can be fixed by updating the system or following the workaround instructions offered in the KB82374 guide.

In GitHub there are proofs of concept for both vulnerabilities. This aggravates the problem, as the vulnerability might be exploited without having any knowledge of VMware technology.

ProductVersionFixed versionWorkarounds
vCenter Server7.07.0 U1cKB82374
vCenter Server6.76.7 U3lKB82374
vCenter Server6.56.5 U3nKB82374

Recommendation

LACNIC CSIRT recommends installing the latest version of each system and avoiding exposing services to the Internet.

It is advisable to analyze web server logs to detect potential exploitations of this vulnerability. Based on exploits that have been made public, the following URI paths should be targeted:

“/ui/vropspluginui/rest/services/uploadova”

More information

https://www.vmware.com/security/advisories/VMSA-2021-0002.html