VMware Security Announcement VMSA-2021-0020, CVSSv3 Score 4.3-9.8 Critical

A new Security advisory just released by VMware, VMSA-2021-0020. This Advisory includes 19 CVE's that affect vCenter Server. Here are the included CVS's.
CVE-2021-21991, CVE-2021-21992, CVE-2021-21993, CVE-2021-22005, CVE-2021-22006, CVE-2021-22007, CVE-2021-22008, CVE-2021-22009, CVE-2021-22010, CVE-2021-22011, CVE-2021-22012, CVE-2021-22013, CVE-2021-22014, CVE-2021-22015, CVE-2021-22016, CVE-2021-22017, CVE-2021-22018, CVE-2021-22019, CVE-2021-22020. VMware also created a supplemental blog post for additional clarification. Please see: https://via.vmw.com/vmsa-2021-0020-faq

VMware also created a FAQ page located here. VMSA-2021-0020: Questions & Answers | VMware

Impacted Products
  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)
Introduction

Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

vCenter Server file upload vulnerability (CVE-2021-22005)

Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

Fixed Versions and Workarounds will be provided below

vCenter Server local privilege escalation vulnerability (CVE-2021-21991)

Description

The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors

A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).

Fixed Versions and Workarounds will be provided below

vCenter Server reverse proxy bypass vulnerability (CVE-2021-22006)

Description

The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to access restricted endpoints.

Fixed Versions and Workarounds will be provided below

vCenter server unauthenticated API endpoint vulnerability (CVE-2021-22011)

Description

The vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to perform unauthenticated VM network setting manipulation.

Fixed Versions and Workarounds will be provided below

vCenter Server improper permission local privilege escalation vulnerabilities (CVE-2021-22015)

Description

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.

Fixed Versions and Workarounds will be provided below

vCenter Server unauthenticated API information disclosure vulnerability (CVE-2021-22012)

Description

The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

Fixed Versions and Workarounds will be provided below

vCenter Server file path traversal vulnerability (CVE-2021-22013)

Description

The vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

Fixed Versions and Workarounds will be provided below

vCenter Server reflected XSS vulnerability (CVE-2021-22016)

Description

The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

An attacker may exploit this issue to execute malicious scripts by tricking a victim into clicking a malicious link.

Fixed Versions and Workarounds will be provided below

vCenter Server rhttpproxy bypass vulnerability (CVE-2021-22017)

Description

Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed.  

Fixed Versions and Workarounds will be provided below

vCenter Server authenticated code execution vulnerability (CVE-2021-22014)

Description

The vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors

An authenticated VAMI user with network access to port 5480 on vCenter Server may exploit this issue to execute code on the underlying operating system that hosts vCenter Server.

Fixed Versions and Workarounds will be provided below

vCenter Server file deletion vulnerability (CVE-2021-22018)

Description

The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

Known Attack Vectors

A malicious actor with network access to port 9087 on vCenter Server may exploit this issue to delete non critical files.

Fixed Versions and Workarounds will be provided below

vCenter Server XML parsing denial-of-service vulnerability (CVE-2021-21992)

Description

The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

Known Attack Vectors

A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) and vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service condition on the vCenter Server host.

Fixed Versions and Workarounds will be provided below

vCenter Server local information disclosure vulnerability (CVE-2021-22007)

Description

The vCenter Server contains a local information disclosure vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.

Known Attack Vectors

An authenticated user with non-administrative privilege may exploit this issue to gain access to sensitive information.

Fixed Versions and Workarounds will be provided below

vCenter Server denial of service vulnerability (CVE-2021-22019)

Description

The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 5480 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to create a denial of service condition.

Fixed Versions and Workarounds will be provided below

vCenter Server VAPI multiple denial of service vulnerabilities (CVE-2021-22009)

Description

The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit these issues to create a denial of service condition due to excessive memory consumption by VAPI service.

Fixed Versions and Workarounds will be provided below

vCenter Server VPXD denial of service vulnerability (CVE-2021-22010)

Description

The vCenter Server contains a denial-of-service vulnerability in VPXD (Virtual Provisioning X Daemon) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to create a denial of service condition due to excessive memory consumption by VPXD service.

Fixed Versions and Workarounds will be provided below

vCenter Server information disclosure vulnerability (CVE-2021-22008)

Description

The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to gain access to sensitive information.

Fixed Versions and Workarounds will be provided below

vCenter Server Analytics service denial-of-service Vulnerability (CVE-2021-22020)

Description

The vCenter Server contains a denial-of-service vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.0.

Known Attack Vectors

Successful exploitation of this issue may allow an attacker to create a denial-of-service condition on vCenter Server.

Fixed Versions and Workarounds will be provided below

vCenter Server SSRF vulnerability (CVE-2021-21993)

Description

The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.

Known Attack Vectors

An authorized user with access to content library may exploit this issue by sending a POST request to vCenter Server leading to information disclosure.

Fixed Versions and Workarounds will be provided below

Fixes and Workarounds

For vCenter 7, the highest severity vulnerability of 9.8 can be patched with Version 7.0 U2c. there is also a workaround for this issue listed in the following KB. Workaround Instructions for CVE-2021-22005 (85717) (vmware.com)

7.0 U2c also fixes several other vulnerabilities. Apply patch 7.0 U2d to patch the rest.

For VMware Cloud Foundation 4.x (vCenter Server) , follow the direction listed in the following KB. Applying vCenter Server 7.0 Update 2d patch on VMware Cloud Foundation on 4.1.x, 4.2.x, 4.3 (85718)

There is also a workaround listed in this KB. Workaround Instructions for CVE-2021-22005 (85717) (vmware.com)

Download links and release notes will be provided below.

For vCenter 6.7 apply fixed version 6.7 U3o, there is also a workaround listed in the following KB. Workaround Instructions for CVE-2021-22005 (85717) (vmware.com)

For VMware Cloud Foundation 3.x follow the directions listed in this KB Applying vCenter Server 6.7 Update 3o patch on VMware Cloud Foundation on 3.X (85719)

Workarounds are listed in KB Workaround Instructions for CVE-2021-22005 (85717) (vmware.com)

Windows versions of vCenter 6.7 are not affected!

Download links and release notes will be provided below.

For vCenter Server 6.5, apply fixed version 6.5 U3q. Windows version of vCenter Server 6.5 are not affected!

Download links and release notes will be provided below.

References

Fixed Version(s) and Release Notes:

vCenter Server 7.0 U2d
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U2D&productId=974&rPId=74352
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2d-release-notes.html


vCenter Server 6.7 U3o
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC67U3O&productId=742&rPId=73667
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3o-release-notes.html


vCenter Server 6.5 U3q
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC65U3Q&productId=614&rPId=74057
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3q-release-notes.html

VMware vCloud Foundation 4.3.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.3.1/rn/VMware-Cloud-Foundation-431-Release-Notes.html

VMware vCloud Foundation 3.10.2.2
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html

Link to official Advisory

VMSA-2021-0020 (vmware.com)

Thanks for reading and Happy Patching!