VMware Warns of Critical Remote Code Execution Hole In vCenter

An anonymous reader quotes a report from ZDNet: VMware is urging its vCenter users to update vCenter Server versions 6.5, 6.7, and 7.0 immediately, after a pair of vulnerabilities were reported privately to the company. The most pressing is CVE-2021-21985, which relates to a remote code execution vulnerability in a vSAN plugin enabled by default in vCenter that an attacker could use to run whatever they wished on the underlying host machine, provided they can access port 443. Even if users do not use vSAN, they are likely to be affected because the vSAN plugin is enabled by default. "This needs your immediate attention if you are using vCenter Server," VMware said in a blog post.

The second vulnerability, CVE-2021-21986, would allow an attacker to perform actions allowed by plugins without authentication. "The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins," VMware said. In terms of CVSSv3 scores, CVE-2021-21985 hit an 9.8, while CVE-2021-21986 was scored as 6.5.

Re:One is curious...

[devoid42]

The statement is misleading, the vulnerability is in the mentioned plug-ins but exposed via a poorly designed HTML-5 client. All of these related CVE's are corrected by updating the vCenter server, which hosts the plug-ins AND the web service that serves up the HTML-5 Client interface.

HTML5 accidents-waiting-to-happen...

[Jeremiah Cornelius]

are no longer waiting!

It's hard to say this is a "poorly designed HTML-5 client", when writing client software is like an adversarial game of "gotcha", and your own best tools are designed like security puzzles, and no clear way to avoid such pitfalls.

On the other hand? The vulnerability is very severe, but it shouldn't even be possible, with decent secure operations practice, to reach vCenter and exploit it.

If you have untrusted and insecure endpoints that are able to contact your vCenter, then you likely

better then the old flash + plugin webui

[Joe_Dragon]

better then the old flash + plugin webui.

Re:

[MeanE]

That flash client was dark times for VMware. Whoever green lit that should have been fired. They should have kept the old c# client up to date after the backlash they received until the HTML-5 client was complete.

Re:

[Jeremiah Cornelius]

Adobe was making a BIG x-platform push with Flex-UI at the time. When you have Enterprise software deployed at that scale, development doesn't turn on a dime.

By the time the first vSphere FLEX client software was shipping, after almost 2 years of being tested for full functionality, it was already apparent how much Flash was a rapidly diminishing technology. HTML5 standards were at last at a readiness and maturity within these same couple of years.

vSphere/vCenter had been built over 8 years, with a couple o

Re:

[Anonymous Coward]

I do not like how AlgoSec's website is so NoScript unfriendly. Shouldn't security based companies encourage customers to be less vulnerable by using NoScript? Personal annoyance so won't be checking them out any further.

Re:

[grumpy-cowboy]

This is not a "personal annoyance". This is a sign about how AlgoSec is not a serious security company to do business with.

Cloud exposing you to more hackers as usual

[omfglearntoplay]

All the Cloud BS is such a bad idea for any company big enough to know the difference.

Re:

[grumpy-cowboy]

+1000 Someday (I hope soon) companies will put back security and clients privacy a top priority by reverting back their mission criticals systems in-house. Until then, each time I see a news like this I laught a lot, open a beer, grab a popcorn bag and watch the show...

vSphere is slower than molasses

[bustinbrains]

Ugh. I hate signing into modern vSphere/vCenter. It takes over two minutes to load a single webpage and pull down a short list of VMs. The installable C# client was far faster and superior to the HTML5 client in every way that mattered.

Am I shocked that there's a critical vulnerability in the vSphere HTML5 client software? Nope. Not one bit.

Best practice for those who do not upgrade?

[rapjr]

Some software will never be upgraded. What is the best practices solution for handling all that old software? Some hospitals put vulnerable systems on a protected VPN or isolated network, but you can't force all vulnerable systems onto another network if you do not own the systems or networks and that often breaks things in unpredictable ways or makes them unusable. Until there is a solution for this, every newly discovered vulnerability remains a threat for a decade or more and cyberspace will continual