On January 27th, 2022, VMware released vSphere 7.0 Update 3c. While this much anticipated update to ESXi 7.0 Update 3 addresses a wide range of critical issues, it also – unfortunately – leaves a gap.

EARLIER WITH VSPHERE 7 UPDATE 3…

In November 2021, VMware took the unprecedented step to retract the ESXi 7 Update 3 release. It was no longer available for download. Vmware took this drastic action to protect their customers from some potential failures as they upgraded to ESXi 7 U3.

ESXi 7 U3c contains cURL v7.77.0

The latest versions of ESXi 6.5 (v202110001) and ESXi 6.7 (v202111001) contain cURL v7.78.0, but ESXI 7U3c (v19193900) contains cURL 7.77.0

ESXi hosts running ESXi 7 Update 3c are still vulnerable to the following vulnerabilities:

CVE-2021-22922 Metalink check vulnerability

CVE-2021-22922 describes how cURL will check the cryptographic hash of downloaded files, when compiled with –with-libmetalink. and used with –metalink. However, the only indication that the hash was incorrect is a message displayed to the user. The files with incorrect hashes are left to the disk as-is. Since the metalink can be used with insecure protocols such as http and ftp, the hash validation might be used an actual way to verify the download integrity against tampering

This vulnerability has a CVSS score of 6.5.

CVE-2021-22923 Metalink download credential disclosure vulnerability

CVE-2021-22923 describes how cURL will use the credentials for any further transfers performed when compiled with –with-libmetalink. and used with –metalink or –user. This includes different hosts and protocols, even ones without transport layer security. As a result the credentials only intended for the target site may end up being sent to outside hosts, and without transport layer security, may be intercepted by attackers through a Meddle in the Middle (MitM) attack.

This vulnerability has a CVSS score of 5.3.

CVE-2021-22924 Bad connection reuse vulnerability

CVE-2021-22924 describes how Curl_ssl_config_matches attempts to compare whether two SSL connections have identical SSL security options or not. The idea is to avoid reusing a connection that uses less secure, or completely different security options such as capath, cainfo or certificate/issuer pinning. Unfortunately this function has several flaws in the way it checks path names.

This vulnerability has a CVSS score of 3.7.

CVE-2021-22925 TELNET stack contents disclosure vulnerability

CVE-2021-22925 describes how the -t command line option for cURL, known as CURLOPT_TELNETOPTIONS in libcurl, can be used to send variable=content pairs to telnet servers. Due to flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack-based buffer to the server. Therefore potentially revealing sensitive internal information to the server using a clear-text network protocol. This could happen because cURL did not call and use sscanf() correctly when parsing the string provided by the application.

This vulnerability has a CVSS score of 5.3.

CVE-2021-22926 Denial of Service vulnerability in CURLOPT_SSLCERT

CVE-2021-22926 describes how libcurl Secure Transport SSL backend fails to secure the CURLOPT_SSLCERT against the current directory file overriding the keychain nickname specified. This leads to the possibility of a locally created file overriding the CURLOPT_SSLCERT-specified certificate, causing denial of service.

This vulnerability has a CVSS score of 7.5.

Going forward

VMware admins updating their vSphere 7 Update 3, vSphere Update 3a and Vsphere Update 3b implementations to vSphere 7 Update 3c should be aware of the above five vulnerabilities.

There are no known workarounds. VMware has shared that cURL version 7.78.0 comes with a future ESXi 7.x release.