VMware Security Announcement VMSA-2021-0002 CVSSv3 range 5.3-9.8

Today VMware released a new cirtical security advisory, VMSA-2021-0002. This affects VMware ESXi and vCenter Server. The updates address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974). CVSSv3 score 9.8

Impacted Products
  • VMware ESXi
  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)
Introduction

Multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5) were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972)

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Resolution

For vCenter 7.0, apply patch 7.0U1c. Download and release notes links will be provided below.

For vCenter 6.7, apply patch 6.7U3l. Download and release notes links will be provided below.

For vCenter 6.5, apply patch 6.5U3n. Download and release notes links will be provided below.

For Cloud Foundation (vCenter Server)4.x, apply patch 4.2. Download and release notes links will be provided below.

For Cloud Foundation (vCenter Server)3.x, apply patch 3.10.1.2. Download and release notes links will be provided below.

Workarounds

There is a workaround for this listed in the following KB article. VMware vCenter Server Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 (82374)

Be careful with the workaround if you are using vROPS. See the KB for more information.

Notes

The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.

ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)

Description

OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors

A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Resolution

For ESXi 7.0, apply patch ESXi70U1c-17325551. Download and release notes links will be provided below.

For ESXi 6.7, apply patch ESXi670-202102401-SG. Download and release notes links will be provided below.

For ESXi 6.5, apply patch ESXi650-202102101-SG. Download and release notes links will be provided below.

For Cloud Foundation(ESXi)4.x, apply patch 4.2. Download and release notes links will be provided below.

For Cloud FOundation(ESXi)3.x, check KB82705. Guidelines for async application of ESXI hot patch on top of latest VCF supported ESXi build (82705) (vmware.com)

Workarounds

There is a workaround listed in the following KB article. How to Disable/Enable CIM Server on VMware ESXi (76372)

Notes

[1] Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. For more information, see our blog posting: https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html

[2] KB82705 documents steps to consume ESXi hot patch asynchronously on top of latest VMware Cloud Foundation (VCF) supported ESXi build.

VMware vCenter Server updates address SSRF vulnerability in the vSphere Client (CVE-2021-21973)

Description

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.

Resolution

For vCenter 7.0, apply patch 7.0U1c. Download and release notes links will be provided below.

For vCenter 6.7, apply patch 6.7U3l. Download and release notes links will be provided below.

For vCenter 6.5, apply patch 6.5U3n. Download and release notes links will be provided below.

For Cloud Foundation (vCenter Server)4.x, apply patch 4.2. Download and release notes links will be provided below.

For Cloud Foundation (vCenter Server)3.x, apply patch 3.10.1.2. Download and release notes links will be provided below.

Workarounds

There is a workaround for this listed in the following KB article. VMware vCenter Server Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 (82374)

Be careful with the workaround if you are using vROPS. See the KB for more information.

Notes

The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.

References

VMware ESXi 7.0 ESXi70U1c-17325551
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u1c.html

VMware ESXi 6.7 ESXi670-202102401-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202102001.html

VMware ESXi 6.5 ESXi650-202102101-SG
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202102001.html

VMware vCloud Foundation 4.2
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.2/rn/VMware-Cloud-Foundation-42-Release-Notes.html


VMware vCloud Foundation 3.10.1.2
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.1/rn/VMware-Cloud-Foundation-3101-Release-Notes.html


vCenter Server 7.0.1 Update 1
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC70U1C&productId=974
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u1c-release-notes.html

vCenter Server 6.7 U3l
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC67U3L&productId=742&rPId=57171
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3l-release-notes.html

vCenter Server 6.5 U3n
Downloads and Documentation:
https://my.vmware.com/web/vmware/downloads/details?downloadGroup=VC65U3N&productId=614&rPId=60942
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3n-release-notes.html

Link to the advisory from VMware. VMSA-2021-0002 (vmware.com)

Thanks for reading