Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Thousands of Vulnerable VMWare vCenter Servers Still Publicly Exposed (CVE-2021-21985, CVE-2021-21986)

June 2021 by Jason Villaluna, Security Researcher, Trustwave SpiderLabs

VMware released patches to address VMSA-2021-0010[1], a critical security advisory for VMware vCenter Server addressing two vulnerabilities. One of them was a remote code execution (RCE) in the vSphere Client (CVE-2021-21985) that exists due to a lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in the vCenter Server. Any attackers with access to the network may exploit this vulnerability and execute commands with unrestricted privileges. The other one (CVE-2021-21986) is an authentication mechanism issue in vCenter Server plug-ins like Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability. As per Vmware’s advisory, the following versions are affected.

Affected Versions

• vCenter Server 6.5.0 before 6.5.0 build 17994927
• vCenter Server 6.7.0 before 6.7.0 build 18010531
• vCenter Server 7.0.0 before 7.0.2 build 17958471
• Cloud Foundation vCenter Server 3.x before build 18015401
• Cloud Foundation vCenter Server 4.x before 4.2.1 build 18016307

Using Shodan for recon

vCenter Server is a centralized management utility to manage virtual machines, ESXi hosts, and other dependent components. vCenter Server is used by many companies to manage their infrastructure making it a possible attack initiation point. VMWare mentioned that these issues needed immediate attention in their blog[2] so we decided to review Shodan for a quick analysis on the number of vCenter Server instances directly connected to the Internet that are vulnerable to these flaws based on their self-reported version. On Shodan, there are 5,271 instances of VMWare vCenter Server that are directly connected to Internet.

Majority of these instances are running versions 6.7.0, 6.5.0, and 7.0.x. (Figure 2)

Other stats show that top ports are probably using SSL/TLS, with port 443 the most used:

So far, we have been able to gather information about the product, version and ports. But how do we know if a host is vulnerable or what percentage of those hosts are vulnerable? Shodan provides downloadable data that contains banners and other valuable information for each host. Figure 4 lists the command to download information.

Once data has been downloaded, we can use the parse option from shodan-cli to get information such as port number and version of the server (Figure 5). The build number is found in the HTTP response (Figure 6) as well as an object vmware in the JSON file (Figure 7). The os_type can be used to determine the Operating System (OS) of the server, for this example majority of the hosts are using Linux.

Hosts vulnerable to vCenter Server vulnerabilities The downloaded data from Shodan is a compressed JSON file which can be parsed using simple scripts to check if the host’s version is affected by these vulnerabilities.

Unfortunately, most of those “not vulnerable” 950 (19.12%) hosts are old versions (e.g., 2.5.0, 4.0.0, and other end of life (EOL)), and only eight hosts have versions that are supported. Implying that majority of these are not patched since they are unsupported.

The best way to protect your server is by applying the patch provided by VMware. This is the fastest and recommended way to remove the vulnerability completely. However, if you can’t patch immediately, you should add the following lines under "pluginsCompatibility" element in your compatibility-matrix.xml file:

Then stop and restart the “vsphere-ui” service. This will disable the plugins affected by these vulnerabilities. Please consider checking the importance of these plugins from your system before disabling them. See more details and tips for patching from VMware’s blog post[2] and article[3].

Trustwave Security Testing Services customers can detect vulnerable instances of VMware vCenter Server on their managed and self-service vulnerability scans.

[2] https://blogs.vmw

See previous articles


See next articles