VMWare refers to these two vulnerabilities collectively as VMSA-2021-0010.
- CVE-2021-21985 - The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
- CVE-2021-21986 - The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.
Affected Software / System
This advisory specifically applies to the following VMware products:
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
CVE (if applicable)
- CVE-2021-21985
- CVE-2021-21986
Type
- CVE-2021-21985 - Remote code execution vulnerability
- CVE-2021-21986 - Authentication mechanism vulnerability
Exploit Status:
Proofs-of-Concept exist in the wild for the RCE vulnerability.
Rating
• CVE-2021-21985 - CVSS Score of 9.8/10 (Critical)
• CVE-2021-21986 - CVSS Score of 6.5/10 (Moderate)
Impact
- CVE-2021-21985 - A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
- CVE-2021-21986 - A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.
Mitigation
The best and quickest way to ensure protection is to apply the patches released by VMware. However, immediate patching is not possible you should disable the affected plugins by adding the following lines under the "pluginsCompatibility" element in your compatibility-matrix.xml file:
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
<PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/>
<PluginPackage id="com.vmware.vrUi" status="incompatible"/>
<PluginPackage id="com.vmware.vum.client" status="incompatible"/>
<PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>
After adding these lines, stop and restart the “vsphere-ui” service. Organizations should review the criticality of these plugins before attempting this mitigation.
Ingalls recommends the following actions:
- Ingalls strongly discourages organizations from exposing VCenter directly to the Internet as opposed to protecting it behind a secure solution such as a VPN and Multi-Factor Authentication (MFA).
- Ingalls also strongly recommends that affected organizations patch these vulnerabilities as soon as possible.
- If organizations cannot patch immediately, then they should immediately apply the recommended workarounds/mitigations.
More information from VMWare on considerations for applying these patches can be found in this article.