Security News > 2021 > May > VMware reveals critical vCenter hole it says ‘needs to be considered at once’
VMware has revealed a critical bug that can be exploited to achieve unauthenticated remote code execution in the very core of a virtualised system - vCenter Server.
The culprit is the vSphere HTML5 client, which by default includes the Virtual SAN Health plugin - even if you don't run a VMware VSAN. That plugin lacks input validation and the result, as explained by VMware's advisory this week, is: "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server."
As vCenter is the tool with which VMware users drive their fleets of virtual machines, the bug is rated a 9.8 out of 10 in severity.
VMware has also reported CVE-2021-21986, an authentication mechanism vulnerability in the vSphere HTML 5 client that is also bad news for the Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plugins.
Seeing as the Site Recovery plugin is a disaster recovery tool, The Register shudders at the possibilities if an attacker managed to both introduce ransomware and mess with recovery infrastructure.
Adding further complications, VMware has extended the supported lifespan of some vCenter versions that shipped with the Flash client, meaning those who persist with those versions will also need to maintain old-school browsers that still support Adobe's dangerous Flash-rendering code.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/05/26/vmware_vcenter_bug/
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-05-26 | CVE-2021-21986 | Missing Authentication for Critical Function vulnerability in VMWare Vcenter Server 6.5/6.7/7.0 The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. | 9.8 |