Security News > 2021 > May > VMware reveals critical vCenter hole it says ‘needs to be considered at once’

VMware has revealed a critical bug that can be exploited to achieve unauthenticated remote code execution in the very core of a virtualised system - vCenter Server.

The culprit is the vSphere HTML5 client, which by default includes the Virtual SAN Health plugin - even if you don't run a VMware VSAN. That plugin lacks input validation and the result, as explained by VMware's advisory this week, is: "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server."

As vCenter is the tool with which VMware users drive their fleets of virtual machines, the bug is rated a 9.8 out of 10 in severity.

VMware has also reported CVE-2021-21986, an authentication mechanism vulnerability in the vSphere HTML 5 client that is also bad news for the Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plugins.

Seeing as the Site Recovery plugin is a disaster recovery tool, The Register shudders at the possibilities if an attacker managed to both introduce ransomware and mess with recovery infrastructure.

Adding further complications, VMware has extended the supported lifespan of some vCenter versions that shipped with the Flash client, meaning those who persist with those versions will also need to maintain old-school browsers that still support Adobe's dangerous Flash-rendering code.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/05/26/vmware_vcenter_bug/