Yesterday, VMware released an update that addresses three vulnerabilities in its ESXi, vCenter Server and Cloud Foundation products:
- A remote code execution vulnerability in the vSphere Client (CVE-2021-21972)
- An SSRF vulnerability in the vSphere Client (CVE-2021-21973)
- An ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)
About the vulnerabilities
Remote code execution vulnerability in the vSphere Client (CVE-2021-21972)
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Mikhail Klyuchnikov of Positive Technologies reported the vulnerability to VMware.
The vulnerability is addressed in the following versions of vCenter Server:
- vCenter Server version 7.0 U1c (ESXi70U1c-17325551)
- vCenter Server version 6.7 U3l (ESXi670-202102401-SG)
- vCenter Server version 6.5 U3n (ESXi650-202102101-SG)
- Cloud Foundation (vCenter Server) version 4.2
- Cloud Foundation (vCenter Server) version 3.10.1.2
SSRF vulnerability in the vSphere Client (CVE-2021-21973)
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.
Mikhail Klyuchnikov of Positive Technologies reported the vulnerability to VMware.
The vulnerability is addressed in the following versions of vCenter Server:
- vCenter Server version 7.0 U1c (ESXi70U1c-17325551)
- vCenter Server version 6.7 U3l (ESXi670-202102401-SG)
- vCenter Server version 6.5 U3n (ESXi650-202102101-SG)
- Cloud Foundation (vCenter Server) version 4.2
- Cloud Foundation (vCenter Server) version 3.10.1.2
ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)
OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
Lucas Leong of Trend Micro's Zero Day Initiative reported the vulnerability to VMware.
The vulnerability is addressed in the following versions of vCenter Server:
- ESXi version ESXi70U1c-17325551
- ESXi version ESXi670-202102401-SG
- ESXi version ESXi650-202102101-SG
- Cloud Foundation (vCenter Server) version 4.2
- Cloud Foundation (vCenter Server) version 3.10.1.2 with EP 18 (6.7.0-17499825)
Concluding
Please install the updates for the version(s) of ESXi, vCenter Server and/or Cloud Foundation in use within your organization, as mentioned above and in the advisory for VMSA-2021-0002.
Alternatively, perform the workarounds as mentioned in KB82374 for vCenter Server (pertaining to CVE-2021-21972 and CVE-2021-21973) and KB76372 for ESXi (pertaining to CVE-2021-21974).
FURTHER READING
VMware updated the patch for CVE-2020-3992 to completely address the Remote Code Execution Vulnerability (Critical, CVSSv3 9.8)
Two vulnerabilities in VMware ESXi may lead to virtual Domain Controller compromise (Critical, VMSA-2020-0026, CVE-2020-4004, CVE-2020-4005)
Nice information