**** SOC ADVISORY **** VMWare vSphere Products’ Vulnerabilities
Incident Report for CyFlare
Resolved
This incident has been resolved.
Posted May 28, 2021 - 13:35 EDT
Investigating
VMWare vSphere Products’ Vulnerabilities

Posted Date: 05/27/2021
Published Date: 05/27/2021
Source: VMWare
Sector: Information Security – Product Integrity
Reported by: VMWare
ADVISORY NUMBER: VMSA-2021-0010
DATE(S) ISSUED: 05/25/2021

SUBJECT: VMWare vCenter Server updates address remote code execution and authentication vulnerabilities

OVERVIEW:

VMWare vCenter Server has announced an update patch that remediates possible remote code execution and authentication vulnerabilities. These vulnerabilities carry CVS score of 9.8 and 6.5 respectively. Multiple vulnerabilities in the vSphere Client (HTML5) were privately reported to VMware. Updates and workarounds are available to address these vulnerabilities in affected VMware products.
THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the monitored assets. However, applying patches and updates is highly recommended in order to reduce potential risk.

SYSTEMS AFFECTED:

• VMWare vCenter Server
• VMWare Cloud Foundation

RISK:
All business entities that depend on the above-mentioned products as well as the confidential data generated/handled/modified through them.

TECHNICAL SUMMARY:

CVE-2021-21985: 9.8 Critical

This vulnerability is a remote code execution threat in the vSphere Client through the default vSAN (Virtual SAN) Health Check plugin. This is ENABLED by default even if not in use. This is the reason the severity score of this vulnerability is as high as 9.8 making it a critical threat.
In order to exploit this vulnerability, an adversary would need to access the vCenter Server over port 443. Even if the server is not public facing, it can be exploited once the attacker has access inside the network. To gain access inside the network, an attacker would most likely be using other means like spear phishing, social engineering and further use this vulnerability to increase impact. Successful access to vCenter server would give attacker the ability to execute arbitrary commands on the underlying vCenter host.

CVE-2021-21986 – 6.5 Moderate

Like CVE-21985, this vulnerability can also be exploited via port 443 and allow attacker to perform functions using the default plugins like:
• vSAN Health Check
• Site Recovery
• vSphere Lifecycle Manager
• VMWare Cloud Director Availability.
However, this vulnerability deals with an authentication mechanism issue for the above-mentioned plugins making it moderately severe with a score of 6.5/10.

RECOMMENDATIONS:

VMWare has released a set of instructions on possible workarounds for the known vulnerabilities.

NOTE: These are only temporary workarounds and more permanent solution is patching the affected products as soon as possible.

The workarounds involve disabling plugin from within the UI and hence does not guarantee prevention from the exploit.
Here is the link for Knowledge Base-83829: https://kb.vmware.com/s/article/83829

Update patches:

Product/Suites Version Update Patch CVE 2021-
vCenter Server 7.0 7.0 U2b 21985-21986
vCenter Server 6.7 6.7 U3n 21985-21986
vCenter Server 6.5 6.5 U3p 21985-21986
Cloud Foundation 4.x 4.2.1 21985-21986
Cloud Foundation 3.x 3.10.2.1 21985-21986

REFERENCES:
1. https://www.tenable.com/blog/cve-2021-21985-critical-vmware-vcenter-server-remote-code-execution
2. https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html
3. https://www.vmware.com/security/advisories/VMSA-2021-0010.html

CVE:
1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21986
Posted May 28, 2021 - 10:24 EDT
This incident affected: Breach Detection Service.