CVE-2021-21985 is a critical vulnerability in VMware vCenter that needs to be patched immediately. The vulnerability has been rated with a CVSS score of 9.8 out of 10, and it could enable a malicious actor to execute arbitrary code on a targeted server.
CVE-2021-21985: Critical Flaw in VMware vCenter
The flaw is triggered by a lack of input validation in the Virtual SAN (vSAN) Health Check pluin-in, enabled by default in the vCenter server. According to the official advisory, impacted are the following products:
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
“Multiple vulnerabilities in the vSphere Client (HTML5) were privately reported to VMware. Updates and workarounds are available to address these vulnerabilities in affected VMware products,” the advisory says. More specifically, the flaws were reported by security researcher Ricter Z of 360 Noah Lab.
What is VMware vCenter Server? Shortly said, it is a server management tool that controls virtual machines, ESXi hosts, and other components from a centralized location. The vulnerability impacts server versions 6.5, 6.7, and 7.0, and Cloud Foundation versions 3.x and 4.x.
It should also be mentioned that the released patches also fix an authentication issue in the vSphere Client that affects Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. This issue is known as CVE-2021-21986, and rated 6.5 out of 10 according to the CVSS scale. The flaw could allow an attacker to perform actions permitted by the plug-ins without authentication.
More details about the vulnerabilities as well as information on how to apply patches are available in the advisory. The company is urging customers to patch immediately.
Why is timely patching so crucial?
Earlier this year, the RansomExx gang was exploiting two vulnerabilities in the VMWare ESXi product. In February, reports showed that the ransomware operators were utilizing CVE-2019-5544 and CVE-2020-3992 in VMware ESXi. Shortly said, the two flaws could aid an attacker on the same network to send malicious SLP requests to a vulnerable ESXi device. The attacker could then gain control over it.