Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1805
VMSA-2021-0010 - VMware vCenter Server - Critical RCE and
Authentication Vulnerabilities
26 May 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware vCenter Server (vCenter Server)
VMware Cloud Foundation (Cloud Foundation)
Publisher: VMWare
Operating System: VMware ESX Server
Virtualisation
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21986 CVE-2021-21985
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2021-0010.html
- --------------------------BEGIN INCLUDED TEXT--------------------
VMSA-2021-0010 - VMware vCenter Server updates address remote code
execution and authentication vulnerabilities (CVE-2021-21985,
CVE-2021-21986)
Advisory ID: VMSA-2021-0010
CVSSv3 Range: 6.5-9.8
Issue Date: 2021-05-25
Updated On: 2021-05-25 (Initial Advisory)
CVE(s): CVE-2021-21985, CVE-2021-21986
Synopsis:
VMware vCenter Server updates address remote code execution and authentication
vulnerabilities (CVE-2021-21985, CVE-2021-21986)
1. Impacted Products
VMware vCenter Server (vCenter Server)
VMware Cloud Foundation (Cloud Foundation)
2. Introduction
Multiple vulnerabilities in the vSphere Client (HTML5) were privately reported
to VMware. Updates and workarounds are available to address these vulnerabilities
in affected VMware products.
3a. VMware vCenter Server updates address remote code execution vulnerability in
the vSphere Client (CVE-2021-21985)
Description
The vSphere Client (HTML5) contains a remote code execution vulnerability due
to lack of input validation in the Virtual SAN Health Check plug-in which is
enabled by default in vCenter Server. VMware has evaluated the severity of this
issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access to port 443 may exploit this issue to
execute commands with unrestricted privileges on the underlying operating system
that hosts vCenter Server.
Resolution
To remediate CVE-2021-21985 apply the updates listed in the 'Fixed Version' column
of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21985 have been listed in the 'Workarounds' column of the
'Response Matrix' below.
Additional Documentation
None.
Notes
- The affected Virtual SAN Health Check plug-in is enabled by default in all
vCenter Server deployments, whether or not vSAN is being used.
- A supplemental blog post was created for additional clarification. Please
see: https://via.vmw.com/vmsa-2021-0010-blog
Acknowledgements
VMware would like to thank Ricter Z of 360 Noah Lab for reporting this issue to
us.
Response Matrix:
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server, 7.0, Any, CVE-2021-21985, 9.8, critical, 7.0 U2b, KB83829
vCenter Server, 6.7, Any, CVE-2021-21985, 9.8, critical, 6.7 U3n, KB83829
vCenter Server, 6.5, Any, CVE-2021-21985, 9.8, critical, 6.5 U3p, KB83829
Impacted Product Suites that Deploy Response Matrix 3a Components:
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server), 4.x, Any, CVE-2021-21985, 9.8, critical, 4.2.1, KB83829
Cloud Foundation (vCenter Server), 3.x, Any, CVE-2021-21985, 9.8, critical, 3.10.2.1, KB83829
3b. Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986)
Description
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication
mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle
Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated
the severity of this issue to be in the Moderate severity range with a maximum
CVSSv3 base score of 6.5.
Known Attack Vectors
A malicious actor with network access to port 443 on vCenter Server may perform
actions allowed by the impacted plug-ins without authentication.
Resolution
To remediate CVE-2021-21986 apply the updates listed in the 'Fixed Version' column
of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21986 have been listed in the 'Workarounds' column of the
'Response Matrix' below.
Additional Documentation
None.
Notes
A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0010-blog
Acknowledgements
None.
Response Matrix:
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server, 7.0, Any, CVE-2021-21985, 9.8, critical, 7.0 U2b, KB83829
vCenter Server, 6.7, Any, CVE-2021-21985, 9.8, critical, 6.7 U3n, KB83829
vCenter Server, 6.5, Any, CVE-2021-21985, 9.8, critical, 6.5 U3p, KB83829
Impacted Product Suites that Deploy Response Matrix 3b Components:
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server), 4.x, Any, CVE-2021-21985, 9.8, critical, 4.2.1, KB83829
Cloud Foundation (vCenter Server), 3.x, Any, CVE-2021-21985, 9.8, critical, 3.10.2.1, KB83829
4. References
Fixed Version(s) and Release Notes:
vCenter Server 7.0 U2b
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/7_0
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2b-release-notes.html
vCenter Server 6.7 U3n
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3n-release-notes.html
vCenter Server 6.5 U3p
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3p-release-notes.html
VMware vCloud Foundation 4.2.1
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF421&productId=1121&rPId=67576
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.2.1/rn/VMware-Cloud-Foundation-421-Release-Notes.html
VMware vCloud Foundation 3.10.2.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html#3.10.2.1
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21986
FIRST CVSSv3 Calculator:
CVE-2021-21985: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-21986: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
5. Change Log
2021-05-25 VMSA-2021-0010
Initial security advisory.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYK2lFuNLKJtyKPYoAQi2aQ//Y+K9RpkYM99DtF/QC87y4XIuwfTwkL5r
9s4oeypdVYbxb3Zc0AJ8l7vEH0WgsbpR2C3LOv8BDjlfgUUnCbgqblel5aPfbaKG
d5hLt+RAMEJiYbLfpvC/aHcdWkjdR+f0YjzqLUSQsdRMgI3O1IE25fxRPcstvmVM
72pVElBzfZlV3e+rVGsBc5F9/fzAfwCE8WpJb4RdGlbOOLcIF/OaTV/DK3m2UUCl
oY1/51VZQ+hJ7bEo1PUuHSyVxef7XD44C/ZFUmwpAVRMbhiqfawNmyodGZPOk15G
g4lxVIwTTABPxSjC3ODJ+gdH2XuQIZiRI5vxxyeKRU2QU9bYOtldw6i2F++fYBJv
vxxKAk0C4TlRsLe2T+tn7ZuiqrkbIJYGAFk7rc1FTujNpQo/Y6M/dfsYYzP7L7yC
HFxiJl+f2jUf0ZTKqQM8ViEU6GiJl8QH23ZwXAD437CLWEioRqS+nInmCfl+h8HS
zNaTWmE/X+iFyrG3kk6WSrZ2gM7bXUZvruFRo5WBy7nMW045Ho1QfOfeqe42v+Ty
j3KKijb//NJUez6P43UBIU1toV3JsCJTEY9FPZar6+3s3rMSjamyxmXryEJLq9KG
MN2LorBvNgcLeOe4TAjRli0jSOjrkgegbHQuz3pG9xdTTbpc2oNn2T22jg6FUNd7
Q+xfupGPY+A=
=FCyD
-----END PGP SIGNATURE-----