Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.2387.2 VMWare Multiple Vulnerabilities 30 August 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware ESXi VMware Cloud Foundation Publisher: VMware Operating System: Virtualisation VMware ESX Server Impact/Access: Provide Misleading Information -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-21995 CVE-2021-21994 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2021-0014.html Revision History: August 30 2021: Vendor updated fixed version details July 14 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory ID: VMSA-2021-0014.1 CVSSv3 Range: 5.3-7.0 Issue Date: 2021-07-13 Updated On: 2021-08-24 CVE(s): CVE-2021-21994, CVE-2021-21995 Synopsis: VMware ESXi updates address authentication and denial of service vulnerabilities (CVE-2021-21994, CVE-2021-21995) 1. Impacted Products o VMware ESXi o VMware Cloud Foundation (Cloud Foundation) 2. Introduction Multiple vulnerabilities in VMware ESXi were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products. 3a. ESXi SFCB improper authentication vulnerability (CVE-2021-21994) Description SFCB (Small Footprint CIM Broker) as used in ESXi has an authentication bypass vulnerability.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.0. Known Attack Vectors A malicious actor with network access to port 5989 on ESXi may exploit this issue to bypass SFCB authentication by sending a specially crafted request. Resolution To remediate CVE-2021-21994 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2021-21994 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Notes SFCB service is not enabled by default on ESXi. For successful exploitation, SFCB service should be running. The status of the service can be checked by following the steps mentioned in KB1025757. Acknowledgements VMware would like to thank Douglas Everson of Voya Financial for reporting this issue to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional On Documentation ESXi 7.0 Any CVE-2021-21994 7.0 important ESXi70U2-17630552 KB1025757 None ESXi 6.7 Any CVE-2021-21994 7.0 important ESXi670-202103101-SG KB1025757 None ESXi 6.5 Any CVE-2021-21994 7.0 important ESXi650-202107401-SG KB1025757 None Impacted Product Suites that Deploy Response Matrix 3a Components: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Cloud Foundation 4.x Any CVE-2021-21994 7.0 important 4.3 KB1025757 None (ESXi) Cloud Foundation 3.x Any CVE-2021-21994 7.0 important 3.10.2 KB1025757 None (ESXi) 3b. ESXi OpenSLP denial-of-service vulnerability (CVE-2021-21995) Description OpenSLP as used in ESXi has a denial-of-service vulnerability due a heap out-of-bounds read issue. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors A malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition. Resolution To remediate CVE-2021-21995 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds Workarounds for CVE-2021-21995 have been listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation None. Notes Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. For more information, see our blog posting: https://blogs.vmware.com/vsphere/2021/02/ evolving-the-vmware-vsphere-security-configuration-guides.html Acknowledgements VMware would like to thank VictorV(Tangtianwen) of Kunlun Lab for reporting this issue to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional On Documentation ESXi 7.0 Any CVE-2021-21995 5.3 moderate ESXi70U2-17630552 KB76372 None ESXi 6.7 Any CVE-2021-21995 5.3 moderate ESXi670-202103101-SG KB76372 None ESXi 6.5 Any CVE-2021-21995 5.3 moderate ESXi650-202107401-SG KB76372 None Impacted Product Suites that Deploy Response Matrix 3b Components: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Cloud Foundation 4.x Any CVE-2021-21995 5.3 moderate 4.3 KB76372 None (ESXi) Cloud Foundation 3.x Any CVE-2021-21995 5.3 moderate 3.10.2 KB76372 None (ESXi) 4. References VMware ESXi 7.0 ESXi70U2-17630552 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/7.0/rn/ vsphere-esxi-702-release-notes.html VMware ESXi 6.7 ESXi670-202103101-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202103001.html VMware ESXi 6.5 ESXi650-202107401-SG Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202107001.html VMware Cloud Foundation 4.3 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/4.3/rn/ VMware-Cloud-Foundation-43-Release-Notes.html VMware Cloud Foundation 3.10.2 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/ VMware-Cloud-Foundation-3102-Release-Notes.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21994 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21995 FIRST CVSSv3 Calculator: CVE-2021-21994: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:N/UI:N/S:U/C:H/I:L/A:L CVE-2021-21995: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:N/I:N/A:L 5. Change Log 2021-07-13 VMSA-2021-0014 Initial security advisory. 2021-08-24 VMSA-2021-0014.1 Added Cloud Foundation 4.x fixed version in the Response Matrix section of 3a and 3b. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYSwGLeNLKJtyKPYoAQgfeg/+MvpF9oMhj0Y3KWRHpHymIzi/KdETjF91 mgi/SOP/kfwVgoBqY0KbwqOUSgHIzpGqHaHEAML2vI7ed3zdkTy0ntiiSrTSXqVH PHtCtcmIpwFm0ReX612LZgwXA4r6rrow8n9qh0VZTN3jXiL8vIHJDzD8RTyVwaMG QbNftnmKuaVuv3uwymWZZPHYxjy81u8Wiq8Otwj07tv61AdhFkF8RhwItYKe81Y+ x8AOTPbxonLUczV+qM99+yllo/WsV8Ve1Ng3gERIvaRLryXvfOOzUxNGqAKZ52M+ 70x5ho5vkVfVY1XD+90/giN6LasD6NsLTnFSGN/mu0S4l1LyKK1z1R8ZkLPsI2v9 lbJWGDqGH214v3NwJntmiPoraQ9toM6IadmK00H8oqI3UQOhK28e1GQ4IIQ9wvSO FIt0eijTH+MZ+vx5+k7CkFhU7dYLcWfxvNqXxukNTTtHwzYkqByVoXhNqaoeV0A5 OiXzEOBQ0jQbzCg0XjwWHOoQwZZRO9KLwZtIpxUrbQ+Zk5kTYfQFvsKag7lmGZBj auXCO+0RICxkjzC9BRzdmB+ldDxzv5ofhTqCT4yM1PLpyv8VMWnfIGqpIyowTFn0 d4GwIAf4YOBYz38yMDzZZxO/1hVLNa0GgUOjM889QxWdLINwYUpX1PNLp2/nJPWS oyUSihuP2ZI= =QxLe -----END PGP SIGNATURE-----