Critical RCE Flaws Affect VMware ESXi and vSphere Client — Patch Now

VMware has addressed multiple critical remote code execution (RCE) vulnerabilities in VMware ESXi and vSphere Client virtual infrastructure management platform that may allow attackers to execute arbitrary commands and take control of affected systems.

“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” the company said in its advisory.

The vulnerability, tracked as CVE-2021-21972, has a CVSS score of 9.8 out of a maximum of 10, making it critical in severity.

“In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),” said Positive Technologies’ Mikhail Klyuchnikov, who discovered and reported the flaw to VMware.

“The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.”

With this access in place, the attacker can then successfully move through the corporate network and gain access to the data stored in the vulnerable system, such as information about virtual machines and system users, Klyuchnikov noted.

Separately, a second vulnerability (CVE-2021-21973, CVSS score 5.3) allows unauthorized users to send POST requests, permitting an adversary to mount further attacks, including the ability to scan the company’s internal network and retrieve specifics about the open ports of various services.

The information disclosure issue, according to VMware, stems from an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in the vCenter Server plugin.

VMware has also provided workarounds to remediate CVE-2021-21972 and CVE-2021-21973 temporarily until the updates can be deployed. Detailed steps can be found here.

It’s worth noting that VMware rectified a command injection vulnerability in its vSphere Replication product (CVE-2021-21976, CVSS score 7.2) earlier this month that could grant a bad actor with administrative privileges to execute shell commands and achieve RCE.

Lastly, VMware also resolved a heap-overflow bug (CVE-2021-21974, CVSS score 8.8) in ESXi’s service location protocol (SLP), potentially allowing an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it.

OpenSLP provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks.

The latest fix for ESXi OpenSLP comes on the heels of a similar patch (CVE-2020-3992) last November that could be leveraged to trigger a use-after-free in the OpenSLP service, leading to remote code execution.

Not long after, reports of active exploitation attempts emerged in the wild, with ransomware gangs abusing the vulnerability to take over unpatched virtual machines deployed in enterprise environments and encrypt their virtual hard drives.

It’s highly recommended that users install the updates to eliminate the risk associated with the flaws, in addition to “removing vCenter Server interfaces from the perimeter of organizations, if they are there, and allocate them to a separate VLAN with a limited access list in the internal network.”