Today, VMware released an update that addresses an SFCB improper authentication vulnerability (CVE-2021-21994) and an OpenSLP denial-of-service vulnerability (CVE-2021-21995). These two vulnerabilities can be used to compromise virtual Domain Controllers running on ESXi.
The vulnerabilities exist in VMware Cloud Foundation, too.
The two vulnerabilities were responsibly disclosed to VMware.
About the vulnerabilities
SFCB improper authentication vulnerability (CVE-2021-21994)
The first vulnerability is an improper authentication vulnerability in the Small Footprint CIM Broker (SFCB).
The SFCB service is not enabled by default on ESXi.
SFCB as implemented in VMware ESXi has an authentication bypass vulnerability. This is an important update with a maximum CVSSv3 base score of 7.0.
A malicious actor with network access to port 5989 on ESXi may exploit this issue to bypass SFCB authentication by sending a specially crafted request.
The vulnerability was responsibly disclosed to VMware by Douglas Everson of Voya Financial.
A workaround for this vulnerability is to disable the SFCB service.
OpenSLP denial-of-service vulnerability (CVE-2021-21995)
The second vulnerability is an OpenSLP denial-of-service vulnerability (CVE-2021-21995). OpenSLP as implemented in VMware ESXi has a denial-of-service vulnerability due a heap out-of-bounds read issue. This is a moderately important update with a maximum CVSSv3 base score of 5.3.
A malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition.
A workaround for this vulnerability is to disable the SLP service.
The link to virtual Domain Controllers
Many Active Directory Domain Controllers run as virtual machines on top of VMware ESXi.
Through specific code, an attacker may elevate their privileges and manage the ESXi host or make the ESXi host unavailable. This may affect the Active Directory database and Group Policy settings, including replicating these changes as authorized changes to all other Domain Controllers, including physical ones.
When Active Directory’s integrity is gone, it’s Game Over for 9/10 organizations. Please update.
About the fix
VMware addressed the vulnerabilities in the following versions:
For ESXi 7.0, versions ESXi70U2-17630552 and up is no longer vulnerable.
For ESXi 6.7, version ESXi670-202103101-SG addresses the vulnerability.
For ESXi 6.5, version ESXi650-202107401-SG addresses the vulnerability.
Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2021-0014.