Just in Time Bulletin: CVE-2021-21972

What is CVE-2021-21972? 

CVE-2021-21972 is the vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

On Feb. 23, 2021, VMware published an advisory (VMSA-2021-0002) describing three weaknesses affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation.

There are 2 more vulnerabilities that VMware published on the same report which are CVE-2021-21973 and CVE-2021-21974.
CVE-2021-21973 is an important (CVSSv3 base 8.8) heap-overflow-based remote code execution vulnerability in VMware ESXi OpenSLP. Attackers with same-segment network access to port 427 on affected systems may be able to use the heap-overflow weakness to perform remote code execution.

CVE-2021-21974 is a moderate (CVSSv3 base 5.3) server-side request forgery vulnerability affecting the HTML5 vSphere Client. Attackers with access to port 443 of affected systems can use this weakness to gain access to underlying system information.

How bad is this? 

Active exploitation today: Exploited in the wild

Severity: Critical

  • Credentials not required
  • authentication bypass
  • results in domain controller compromise

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Who is affected by this? 

  • VMware ESXi
  • VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n)
  • VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

How are they exploited? 

An unauthenticated, remote attacker could exploit this vulnerability by uploading a specially crafted file to a vulnerable vCenter Server endpoint that is publicly accessible over port 443.

How do I protect myself? 

Since attackers will already be focusing on VMware systems due to the other high-severity weaknesses, NopSec recommends applying the VMware patches as soon as possible after performing the suggested mitigation.

Additional Resources: