-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2387
                      VMWare Multiple Vulnerabilities
                               14 July 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware ESXi
                   VMware Cloud Foundation
Publisher:         VMWare
Operating System:  Network Appliance
Impact/Access:     Provide Misleading Information -- Existing Account      
                   Denial of Service              -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-21995 CVE-2021-21994 

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2021-0014.html

- --------------------------BEGIN INCLUDED TEXT--------------------

1. Impacted Products

VMware ESXi
VMware Cloud Foundation (Cloud Foundation)

2. Introduction

Multiple vulnerabilities in VMware ESXi were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products.
3a. ESXi SFCB improper authentication vulnerability (CVE-2021-21994)

Description

SFCB (Small Footprint CIM Broker) as used in ESXi has an authentication bypass vulnerability.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.0.

Known Attack Vectors

A malicious actor with network access to port 5989 on ESXi may exploit this issue to bypass SFCB authentication by sending a specially crafted request.

Resolution

To remediate CVE-2021-21994 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2021-21994 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Notes

SFCB service is not enabled by default on ESXi. For successful exploitation, SFCB service should be running. The status of the service can be checked by following the steps mentioned in KB1025757.

Acknowledgements

VMware would like to thank Douglas Everson of Voya Financial for reporting this issue to us.

Response Matrix
Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed Version 	     Workarounds 	Additional Documentation
ESXi        7.0         Any         CVE-2021-21994  7.0     important   ESXi70U2-17630552    KB1025757      None
ESXi        6.7         Any         CVE-2021-21994  7.0     important   ESXi670-202103101-SG KB1025757      None
ESXi        6.5         Any         CVE-2021-21994  7.0     important   ESXi650-202107401-SG KB1025757      None

Impacted Product Suites that Deploy Response Matrix 3a Components:

Product 				Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed Version 	Workarounds 	Additional Documentation
Cloud Foundation (ESXi) 4.x         Any         CVE-2021-21994  7.0     important   Patch pending   KB1025757       None
Cloud Foundation (ESXi) 3.x         Any         CVE-2021-21994  7.0     important   3.10.2          KB1025757       None

3b. ESXi OpenSLP denial-of-service vulnerability (CVE-2021-21995)

Description

OpenSLP as used in ESXi has a denial-of-service vulnerability due a heap out-of-bounds read issue. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition.

Resolution

To remediate CVE-2021-21995 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2021-21995 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Notes

Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. For more information, see our blog posting: https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html

Acknowledgements

VMware would like to thank VictorV(Tangtianwen) of Kunlun Lab for reporting this issue to us.

Response Matrix
Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed Version 	     Workarounds 	Additional Documentation
ESXi        7.0         Any         CVE-2021-21995  5.3     moderate    ESXi70U2-17630552    KB76372        None
ESXi        6.7         Any         CVE-2021-21995  5.3     moderate    ESXi670-202103101-SG KB76372        None
ESXi        6.5         Any         CVE-2021-21995  5.3     moderate    ESXi650-202107401-SG KB76372        None

Impacted Product Suites that Deploy Response Matrix 3b Components:
Product 	             Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed Version 	Workarounds 	Additional Documentation
Cloud Foundation (ESXi)  4.x        Any         CVE-2021-21995  5.3     moderate    Patch pending   KB76372         None
Cloud Foundation (ESXi)  3.x        Any         CVE-2021-21995  5.3     moderate    3.10.2          KB76372         None

4. References

VMware ESXi 7.0 ESXi70U2-17630552 
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-702-release-notes.html

VMware ESXi 6.7 ESXi670-202103101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202103001.html

VMware ESXi 6.5 ESXi650-202107401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202107001.html 

VMware vCloud Foundation 3.10.2
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21995

FIRST CVSSv3 Calculator:
CVE-2021-21994: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L 
CVE-2021-21995: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5. Change Log

2021-07-13 VMSA-2021-0014
Initial security advisory.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYO5yruNLKJtyKPYoAQjZXRAAiL8XO8y8Z6E5FRTkfqLQlOzxGeYAFU5q
Oow9jiqDXNXBlgmxNgELznKT8QMWuabuCyWP86IHrgyhWJLM18HZ9BcmcSzUZPlu
RV/JPoZB8wUMACcjf/KRZPcucsHuBLmUqSKDnkFZAw/kHgm5MGp4nPFiD7NaYKNn
ZBlrolP0+8lii4A+WqDxJA8HH4uEYrlVxEyaeJcPOz8BS8SpMg1Pi+eXFdFg5Zak
cw/UcEQY7Lj+kklOB25AXeJdGQTC6ldKoGboGfy91N/GauAqqRg0RaRhGznXeb2E
k00FKY+NroO1xBE4CJrhTvMFez9kWRG04EQqBgn9a7BeKWhXaV96ff3+omjPeAqO
us6r4WMss49rb8Csh2wiSfzDyUuS+tjQ0ncKzBIy+TQ1UDTI32NYxH7qTKXD6/VA
7sFsrtSqYgR1Vdmy1LuzIIyTCfwSAHFEBaA4nHc2AW7bsAG68y5OsPBy9tJz8ryF
SWkET2EVMY6DhvUguLyHhLCOaEgzi7hAlje2ZTVkVLjJW2u2UW5rl2FruZcFJNue
R0+SNRMOIZS2Bpl2VPdWn+nj34nJALC4l1wrOa5ucfjDneukXNwjYyEwgYXm7q93
PzpTVuH0Q2F+x9iOrJM1Ly/8MDlWsXiLgQcv4x9KXbWoTOA7zgiOgVPPnkk1aeSw
ZRIHf5t93aE=
=fRGM
-----END PGP SIGNATURE-----