Critical Vulnerabilities in VMware ESXi and vCenter Server (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)
The of these vulnerabilities is identified as CVE-2021-21972 and classified as critical. It allows remote code execution on the underlying operating system when the vSphere Client (HTML5) can be accessed over the network. This vulnerability is found in a vSphere Client (HTML5) plugin installed by default on the server.
To exploit this vulnerability, a malicious actor must execute commands through the affected server’s vulnerable URL.
The affected versions and their security fixes are as follows:
| Product | Version | CVSSv3 | Severity | Fixed Version |
| vCenter Server | 7.0 | 9.8 | Critical | 7.0 U1c |
| vCenter Server | 6.7 | 9.8 | Critical | 6.7 U3l |
| vCenter Server | 6.5 | 9.8 | Critical | 6.5 U3n |
The next vulnerability is classified as important and identified as CVE-2021-21974. A malicious actor who has access to ESXi hypervisor TCP/UDP port 427 can remotely execute code by performing a heap-overflow attack in the OpenSLP service.
The affected versions and their security fixes are as follows:
| Product | Version | CVE Identifier | CVSSv3 | Fixed version |
| ESXi | 7.0 | CVE-2021-21974 | 8.8 | ESXi70U1c-17325551 |
| ESXi | 6.7 | CVE-2021-21974 | 8.8 | ESXi670-202102401-SG |
| ESXi | 6.5 | CVE-2021-21974 | 8.8 | ESXi650-202102101-SG |
The third vulnerability is identified as CVE-2021-21973, it is classified as moderately critical, and found in a vSphere Client (HTML5). According to VMware, it is possible to perform an SSRF (Server-Side Request Forgery) attack through an improperly validated URL on the vCenter server-side.
To exploit the vulnerability, a malicious actor needs access to port 443 to send a POST request to the vulnerable URL.
Both the CVE-2021-21972 and the CVE-2021-21973 vulnerabilities can be fixed by updating the system or following the workaround instructions offered in the KB82374 guide.
In GitHub there are proofs of concept for both vulnerabilities. This aggravates the problem, as the vulnerability might be exploited without having any knowledge of VMware technology.
| Product | Version | Fixed version | Workarounds |
| vCenter Server | 7.0 | 7.0 U1c | KB82374 |
| vCenter Server | 6.7 | 6.7 U3l | KB82374 |
| vCenter Server | 6.5 | 6.5 U3n | KB82374 |
Recommendation
LACNIC CSIRT recommends installing the latest version of each system and avoiding exposing services to the Internet.
It is advisable to analyze web server logs to detect potential exploitations of this vulnerability. Based on exploits that have been made public, the following URI paths should be targeted:
“/ui/vropspluginui/rest/services/uploadova”
More information
https://www.vmware.com/security/advisories/VMSA-2021-0002.html