Comment from Tenable on Vulnerabilities in VMware vCenter

Two vulnerabilities were found in VMware’s vCenter Server. CVE-2021-21985 is a remote code execution vulnerability in the vSphere Client via the Virtual SAN (vSAN) Health Check plugin, which is enabled by default. CVE-2021-21986 is an authentication mechanism issue in several vCenter Server Plug-in. In a rare move, VMware published a blog post calling out ransomware groups as being adept at leveraging flaws like this post-compromise, after having gained access to a network via other means such as spearphishing. Claire Tills, Senior Research Engineer, Tenable; express view on the same.

“VMware has disclosed a pair of vulnerabilities impacting vCenter Server, a centralized management software for VMware vSphere systems. The most severe flaw, CVE-2021-21985, is a remote code execution vulnerability in vSphere Client, assigned a CVSSv3 score of 9.8

“To exploit this vulnerability, an attacker would need to be able to access vCenter Server over port 443 in the firewall. Even if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network.

“In a rare move, VMware published a blog post calling out ransomware groups as being adept at leveraging flaws like this post-compromise, after having gained access to a network via other means such as spearphishing. With ransomware dominating the news, this context is important and reinforces VMware’s assertion that patching these flaws should be a top priority. Successful exploitation would allow an attacker to execute arbitrary commands on the underlying vCenter host.

“VMware also patched CVE-2021-21986, which is an authentication mechanism issue found in several vCenter Server Plug-ins and was assigned a CVSSv3 score of 6.5, making it moderately severe.

“VMware has provided patches for both flaws and organizations using vCenter Servers are advised to act immediately.” — Claire Tills, Senior Research Engineer, Tenable