Skip to the main content.
Under Attack? Login
Under Attack? Login
Managed Extended Detection & Response
Layered cybersecurity controls for effective risk management and rapid response.

24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management

Book MXDR Demo

Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Resources

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Company

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

1 min read

VMware vCenter Vulnerabilities

Picture of Cyrus Robinson Cyrus Robinson Jun 22, 2021 9:20:03 AM

Cybersecurity Controls Cybersecurity Advisory
VMWare refers to these two vulnerabilities collectively as VMSA-2021-0010.
  • CVE-2021-21985 - The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
  • CVE-2021-21986 - The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.


Affected Software / System

This advisory specifically applies to the following VMware products:

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

 

CVE (if applicable)

  • CVE-2021-21985
  • CVE-2021-21986


Type

  • CVE-2021-21985 - Remote code execution vulnerability
  • CVE-2021-21986 - Authentication mechanism vulnerability


Exploit Status: 

Proofs-of-Concept exist in the wild for the RCE vulnerability.


Rating

• CVE-2021-21985 - CVSS Score of 9.8/10 (Critical)
• CVE-2021-21986 - CVSS Score of 6.5/10 (Moderate)


Impact

  • CVE-2021-21985 - A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. 
  • CVE-2021-21986 - A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.


Mitigation

The best and quickest way to ensure protection is to apply the patches released by VMware. However, immediate patching is not possible you should disable the affected plugins by adding the following lines under the "pluginsCompatibility" element in your compatibility-matrix.xml file:

<PluginPackage id="com.vmware.vrops.install" status="incompatible"/> 
<PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/> 
<PluginPackage id="com.vmware.vrUi" status="incompatible"/> 
<PluginPackage id="com.vmware.vum.client" status="incompatible"/> 
<PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>

After adding these lines, stop and restart the “vsphere-ui” service. Organizations should review the criticality of these plugins before attempting this mitigation.


Ingalls recommends the following actions:

  1. Ingalls strongly discourages organizations from exposing VCenter directly to the Internet as opposed to protecting it behind a secure solution such as a VPN and Multi-Factor Authentication (MFA).

  2. Ingalls also strongly recommends that affected organizations patch these vulnerabilities as soon as possible.

  3. If organizations cannot patch immediately, then they should immediately apply the recommended workarounds/mitigations.


More information from VMWare on considerations for applying these patches can be found in this article.
Subscribe to Network Security News