Security News > 2021 > February > Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now
VMware has addressed multiple critical remote code execution vulnerabilities in VMware ESXi and vSphere Client virtual infrastructure management platform that may allow attackers to execute arbitrary commands and take control of affected systems.
The vulnerability, tracked as CVE-2021-21972, has a CVSS score of 9.8 out of a maximum of 10, making it critical in severity.
"In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix," said Positive Technologies' Mikhail Klyuchnikov, who discovered and reported the flaw to VMware.
Separately, a second vulnerability allows unauthorized users to send POST requests, permitting an adversary to mount further attacks, including the ability to scan the company's internal network and retrieve specifics about the open ports of various services.
It's worth noting that VMware rectified a command injection vulnerability in its vSphere Replication product earlier this month that could grant a bad actor with administrative privileges to execute shell commands and achieve RCE. Lastly, VMware also resolved a heap-overflow bug in ESXi's service location protocol, potentially allowing an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it.
OpenSLP provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/vbbWfPjXKcY/critical-rce-flaw-affects-vmware.html
Related news
- VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion (source)
- VMware patches critical flaws in ESXi, Workstation, Fusion and Cloud Foundation (source)
- Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) (source)
- Exploit available for new critical TeamCity auth bypass bug, patch now (source)
- VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws (source)
- Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Fortinet warns of critical RCE bug in endpoint management software (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-02-24 | CVE-2021-21972 | Path Traversal vulnerability in VMWare Cloud Foundation and Vcenter Server The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. | 9.8 |