Just in Time Bulletin: CVE-2021-21985

  • What is CVE-2021-21985 (VMware vCenter Server RCE )? 

    CVE-2021-21985 is a RCE vulnerability which can be exploited by a remote, unauthenticated attacker sending a crafted HTTP packet to a vulnerable server. Successful exploitation would grant threat actors unrestricted privileges on the underlying operating system. The flaw stems from a lack of input validation within the Virtual SAN Health Check Plugin, which is enabled by default on vCenter. VMware assigned this critical flaw with a 9.8 CVSSv3 score, emphasizing the severity of the vulnerability.

  • How bad is this? 

    Active exploitation today: No Evidence

    Severity: Critical

    • credentials not required
    • authentication bypass
    • results in vCenter Server compromise
    • Widespread deployment in VMWare vCenter Server in corporate networks. 

       

      The effects of an exploit that would grant remote code execution would be widespread and highly impactful, likely resulting in the compromise of the parent domain. The compromise of vCenter servers could lead to significant service interruptions and the compromise of high level domain accounts.

     

  • Who is affected by this? 

    • vCenter Server 7.0
    • vCenter Server 6.7
    • vCenter Server 6.5
    • Cloud Foundation 4.x
    • Cloud Foundation 3.x

  • How are they exploited? 

    An unauthenticated, remote attacker could exploit this vulnerability.

  • How do I protect myself? 

    VMware has released an emergency patch to address the RCE vulnerability affecting the Health Check Plugin. It is recommended that affected organizations take immediate action to apply the patch. As a temporary solution it is possible to disable the vulnerable plugins. Please refer to the links below for additional information.

    Additional Resources: