Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0677
VMSA-2021-0002 VMware ESXi and vCenter Server updates
address multiple security vulnerabilities
24 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware ESXi
VMware vCenter Server (vCenter Server)
VMware Cloud Foundation (Cloud Foundation)
vSphere Client (HTML5)
Publisher: VMware
Operating System: Virtualisation
VMware ESX Server
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21974 CVE-2021-21973 CVE-2021-21972
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory ID: VMSA-2021-0002
CVSSv3 Range: 5.3-9.8
Issue Date: 2021-02-23
Updated On: 2021-02-23 (Initial Advisory)
CVE(s): CVE-2021-21972, CVE-2021-21973, CVE-2021-21974
Synopsis: VMware ESXi and vCenter Server updates address multiple security
vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)
1. Impacted Products
o VMware ESXi
o VMware vCenter Server (vCenter Server)
o VMware Cloud Foundation (Cloud Foundation)
2. Introduction
Multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5) were
privately reported to VMware. Updates are available to remediate these
vulnerabilities in affected VMware products.
3a. VMware vCenter Server updates address remote code execution vulnerability
in the vSphere Client (CVE-2021-21972)
Description
The vSphere Client (HTML5) contains a remote code execution vulnerability in
a vCenter Server plugin. VMware has evaluated the severity of this issue to be
in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access to port 443 may exploit this issue to
execute commands with unrestricted privileges on the underlying operating
system that hosts vCenter Server.
Resolution
To remediate CVE-2021-21972 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21972 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
None.
Notes
The affected vCenter Server plugin for vROPs is available in all default
installations. vROPs does not need be present to have this endpoint available.
Follow the workarounds KB to disable it.
Acknowledgements
VMware would like to thank Mikhail Klyuchnikov of Positive Technologies for
reporting this issue to us.
Response Matrix:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
vCenter 7.0 Any CVE-2021-21972 9.8 critical 7.0 U1c KB82374 None
Server
vCenter 6.7 Any CVE-2021-21972 9.8 critical 6.7 U3l KB82374 None
Server
vCenter 6.5 Any CVE-2021-21972 9.8 critical 6.5 U3n KB82374 None
Server
Impacted Product Suites that Deploy Response Matrix 3a Components:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Cloud
Foundation 4.x Any CVE-2021-21972 9.8 critical 4.2 KB82374 None
(vCenter
Server)
Cloud
Foundation 3.x Any CVE-2021-21972 9.8 critical 3.10.1.2 KB82374 None
(vCenter
Server)
3b. ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)
Description
OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated
the severity of this issue to be in the Important severity range with a maximum
CVSSv3 base score of 8.8.
Known Attack Vectors
A malicious actor residing within the same network segment as ESXi who has
access to port 427 may be able to trigger the heap-overflow issue in OpenSLP
service resulting in remote code execution.
Resolution
To remediate CVE-2021-21974 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21974 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
None.
Notes
[1] Per the Security Configuration Guides for VMware vSphere, VMware now
recommends disabling the OpenSLP service in ESXi if it is not used. For more
information, see our blog posting: https://blogs.vmware.com/vsphere/2021/02/
evolving-the-vmware-vsphere-security-configuration-guides.html
[2] KB82705 documents steps to consume ESXi hot patch asynchronously on top of
latest VMware Cloud Foundation (VCF) supported ESXi build.
Acknowledgements
VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro's Zero Day
Initiative for reporting this issue to us.
Response Matrix:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional
On Documentation
[1] 7.0 Any CVE-2021-21974 8.8 important ESXi70U1c-17325551 KB76372 None
ESXi
[1] 6.7 Any CVE-2021-21974 8.8 important ESXi670-202102401-SG KB76372 None
ESXi
[1] 6.5 Any CVE-2021-21974 8.8 important ESXi650-202102101-SG KB76372 None
ESXi
Impacted Product Suites that Deploy Response Matrix 3b Components:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
[1] Cloud
Foundation 4.x Any CVE-2021-21974 8.8 important 4.2 KB76372 None
(ESXi)
[1] Cloud [2]
Foundation 3.x Any CVE-2021-21974 8.8 important KB82705 KB76372 None
(ESXi)
3c. VMware vCenter Server updates address SSRF vulnerability in the vSphere
Client (CVE-2021-21973)
Description
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery)
vulnerability due to improper validation of URLs in a vCenter Server
plugin. VMware has evaluated the severity of this issue to be in the Moderate
severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors
A malicious actor with network access to port 443 may exploit this issue by
sending a POST request to vCenter Server plugin leading to information
disclosure.
Resolution
To remediate CVE-2021-21973 apply the updates listed in the 'Fixed Version'
column of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21973 have been listed in the 'Workarounds' column of
the 'Response Matrix' below.
Additional Documentation
None.
Notes
The affected vCenter Server plugin for vROPs is available in all default
installations. vROPs does not need be present to have this endpoint available.
Follow the workarounds KB to disable it.
Acknowledgements
VMware would like to thank Mikhail Klyuchnikov of Positive Technologies for
reporting this issue to us.
Response Matrix:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
vCenter 7.0 Any CVE-2021-21973 5.3 moderate 7.0 U1c KB82374 None
Server
vCenter 6.7 Any CVE-2021-21973 5.3 moderate 6.7 U3l KB82374 None
Server
vCenter 6.5 Any CVE-2021-21973 5.3 moderate 6.5 U3n KB82374 None
Server
Impacted Product Suites that Deploy Response Matrix 3c Components:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Cloud
Foundation 4.x Any CVE-2021-21973 5.3 moderate 4.2 KB82374 None
(vCenter
Server)
Cloud
Foundation 3.x Any CVE-2021-21973 5.3 moderate 3.10.1.2 KB82374 None
(vCenter
Server)
4. References
VMware ESXi 7.0 ESXi70U1c-17325551
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1c.html
VMware ESXi 6.7 ESXi670-202102401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html
VMware ESXi 6.5 ESXi650-202102101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202102001.html
VMware vCloud Foundation 4.2
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.2/rn/
VMware-Cloud-Foundation-42-Release-Notes.html
VMware vCloud Foundation 3.10.1.2
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/
VMware-Cloud-Foundation-3101-Release-Notes.html
vCenter Server 7.0.1 Update 1
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC70U1C&
productId=974
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/
vsphere-vcenter-server-70u1c-release-notes.html
vCenter Server 6.7 U3l
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3L&
productId=742&rPId=57171
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-vcenter-server-67u3l-release-notes.html
vCenter Server 6.5 U3n
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC65U3N&
productId=614&rPId=60942
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/
vsphere-vcenter-server-65u3n-release-notes.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974
FIRST CVSSv3 Calculator:
CVE-2021-21972: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-21973: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2021-21974: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/
PR:N/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2021-02-23 VMSA-2021-0002
Initial security advisory.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYDWtMuNLKJtyKPYoAQg25w//dgSX0SBFXCr400tpSfVEKtIPzBnkmOFf
7r4Tr2Q11pmNNrA7lG9pe3ERiFywj89apgatmEFLHoVLbgqClDSlAtny2W/GF4t/
KZJBfMkdMiQWqBHv924Ugxe/3N77aa0Qc0YcpZFSaM5FKKkxvw2+zfUQdM54mIkV
arFdtUrtMNygIPJZBehbnI0+9FtRkeZxZV31e6mLOrghUQaPQjAzOB5mb6L0MmMQ
/nV0elAQvuA583z/QEAPaMdqEMNcSloPzxKsMXIATdtwcAT55vOz9E5ZW/eW4PHW
PYkeRPd2Mkgs8gcVUXUYQ3/VImPxdv6iuVOvh0qCSMA7X+qXJgI15PLFE/4pIVKd
hHCYYLIGgZkxfXmwYAzzHgmoihtu5mKFscqT558UfYveBcAFb+HrVpVWK//c9Gfp
dnJfobcBWPb1eSm307XDps54bTH4+gkxkiKyKoBaSGKxOv0lNA/hpV8CkI5f6AFZ
fBmJetYlU/hagxRRJYvVGjInZmpMgWVNZVSPrKLVAmfSrw1pfgOtWHVKSzxdbXPw
WC0hkAkfRGKXv2xk8LPUcuimiHqq7MUk3/Cb1ypwXeE0OZbl5pgGYHioMTw8aJ5l
ivy1teMLZe96vjrCsIJgfvKZofaL4v6QGLlbONDRbMqrEyE6M/XGOTCl+fnZNX41
E8gWfz4JgBQ=
=Jnn+
-----END PGP SIGNATURE-----