VMSA-2021-0002 updates for VMware ESXi and vCenter address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)

Yesterday, VMware released an update that addresses three vulnerabilities in its ESXi, vCenter Server and Cloud Foundation products:

A remote code execution vulnerability in the vSphere Client (CVE-2021-21972)
An SSRF vulnerability in the vSphere Client (CVE-2021-21973)
An ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)

About the vulnerabilities

Remote code execution vulnerability in the vSphere Client (CVE-2021-21972)

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Mikhail Klyuchnikov of Positive Technologies reported the vulnerability to VMware.

The vulnerability is addressed in the following versions of vCenter Server:

vCenter Server version 7.0 U1c (ESXi70U1c-17325551)
vCenter Server version 6.7 U3l (ESXi670-202102401-SG)
vCenter Server version 6.5 U3n (ESXi650-202102101-SG)
Cloud Foundation (vCenter Server) version 4.2
Cloud Foundation (vCenter Server) version 3.10.1.2

SSRF vulnerability in the vSphere Client (CVE-2021-21973)

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.

Mikhail Klyuchnikov of Positive Technologies reported the vulnerability to VMware.

The vulnerability is addressed in the following versions of vCenter Server:

vCenter Server version 7.0 U1c (ESXi70U1c-17325551)
vCenter Server version 6.7 U3l (ESXi670-202102401-SG)
vCenter Server version 6.5 U3n (ESXi650-202102101-SG)
Cloud Foundation (vCenter Server) version 4.2
Cloud Foundation (vCenter Server) version 3.10.1.2

ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)

OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Lucas Leong of Trend Micro’s Zero Day Initiative reported the vulnerability to VMware.

The vulnerability is addressed in the following versions of vCenter Server:

ESXi version ESXi70U1c-17325551
ESXi version ESXi670-202102401-SG
ESXi version ESXi650-202102101-SG
Cloud Foundation (vCenter Server) version 4.2
Cloud Foundation (vCenter Server) version 3.10.1.2 with EP 18 (6.7.0-17499825)

Concluding

Please install the updates for the version(s) of ESXi, vCenter Server and/or Cloud Foundation in use within your organization, as mentioned above and in the advisory for VMSA-2021-0002.

Alternatively, perform the workarounds as mentioned in KB82374 for vCenter Server (pertaining to CVE-2021-21972 and CVE-2021-21973) and KB76372 for ESXi (pertaining to CVE-2021-21974).

Stack IT News

Collecting news

VMSA-2021-0002 updates for VMware ESXi and vCenter address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)

About the vulnerabilities

Remote code execution vulnerability in the vSphere Client (CVE-2021-21972)

SSRF vulnerability in the vSphere Client (CVE-2021-21973)

ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)

Concluding

FURTHER READING

Related