===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2021.05.26.0900
ALERT VMWare Products: Multiple vulnerabilities
26th May 2021
===========================================================================
Product: VMware vCenter Server (vCenter Server)
VMware Cloud Foundation (Cloud Foundation)
Publisher: VMWare
Operating System: VMware ESX Server
Virtualisation
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21986 CVE-2021-21985
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2021-0010.html
VMSA-2021-0010 - VMware vCenter Server updates address remote code
execution and authentication vulnerabilities (CVE-2021-21985,
CVE-2021-21986)
Advisory ID: VMSA-2021-0010
CVSSv3 Range: 6.5-9.8
Issue Date: 2021-05-25
Updated On: 2021-05-25 (Initial Advisory)
CVE(s): CVE-2021-21985, CVE-2021-21986
Synopsis:
VMware vCenter Server updates address remote code execution and authentication
vulnerabilities (CVE-2021-21985, CVE-2021-21986)
1. Impacted Products
VMware vCenter Server (vCenter Server)
VMware Cloud Foundation (Cloud Foundation)
2. Introduction
Multiple vulnerabilities in the vSphere Client (HTML5) were privately reported
to VMware. Updates and workarounds are available to address these vulnerabilities
in affected VMware products.
3a. VMware vCenter Server updates address remote code execution vulnerability in
the vSphere Client (CVE-2021-21985)
Description
The vSphere Client (HTML5) contains a remote code execution vulnerability due
to lack of input validation in the Virtual SAN Health Check plug-in which is
enabled by default in vCenter Server. VMware has evaluated the severity of this
issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access to port 443 may exploit this issue to
execute commands with unrestricted privileges on the underlying operating system
that hosts vCenter Server.
Resolution
To remediate CVE-2021-21985 apply the updates listed in the 'Fixed Version' column
of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21985 have been listed in the 'Workarounds' column of the
'Response Matrix' below.
Additional Documentation
None.
Notes
- The affected Virtual SAN Health Check plug-in is enabled by default in all
vCenter Server deployments, whether or not vSAN is being used.
- A supplemental blog post was created for additional clarification. Please
see: https://via.vmw.com/vmsa-2021-0010-blog
Acknowledgements
VMware would like to thank Ricter Z of 360 Noah Lab for reporting this issue to
us.
Response Matrix:
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server, 7.0, Any, CVE-2021-21985, 9.8, critical, 7.0 U2b, KB83829
vCenter Server, 6.7, Any, CVE-2021-21985, 9.8, critical, 6.7 U3n, KB83829
vCenter Server, 6.5, Any, CVE-2021-21985, 9.8, critical, 6.5 U3p, KB83829
Impacted Product Suites that Deploy Response Matrix 3a Components:
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server), 4.x, Any, CVE-2021-21985, 9.8, critical, 4.2.1, KB83829
Cloud Foundation (vCenter Server), 3.x, Any, CVE-2021-21985, 9.8, critical, 3.10.2.1, KB83829
3b. Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986)
Description
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication
mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle
Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated
the severity of this issue to be in the Moderate severity range with a maximum
CVSSv3 base score of 6.5.
Known Attack Vectors
A malicious actor with network access to port 443 on vCenter Server may perform
actions allowed by the impacted plug-ins without authentication.
Resolution
To remediate CVE-2021-21986 apply the updates listed in the 'Fixed Version' column
of the 'Response Matrix' below to affected deployments.
Workarounds
Workarounds for CVE-2021-21986 have been listed in the 'Workarounds' column of the
'Response Matrix' below.
Additional Documentation
None.
Notes
A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2021-0010-blog
Acknowledgements
None.
Response Matrix:
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server, 7.0, Any, CVE-2021-21985, 9.8, critical, 7.0 U2b, KB83829
vCenter Server, 6.7, Any, CVE-2021-21985, 9.8, critical, 6.7 U3n, KB83829
vCenter Server, 6.5, Any, CVE-2021-21985, 9.8, critical, 6.5 U3p, KB83829
Impacted Product Suites that Deploy Response Matrix 3b Components:
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server), 4.x, Any, CVE-2021-21985, 9.8, critical, 4.2.1, KB83829
Cloud Foundation (vCenter Server), 3.x, Any, CVE-2021-21985, 9.8, critical, 3.10.2.1, KB83829
4. References
Fixed Version(s) and Release Notes:
vCenter Server 7.0 U2b
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/7_0
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u2b-release-notes.html
vCenter Server 6.7 U3n
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3n-release-notes.html
vCenter Server 6.5 U3p
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3p-release-notes.html
VMware vCloud Foundation 4.2.1
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=VCF421&productId=1121&rPId=67576
https://docs.vmware.com/en/VMware-Cloud-Foundation/4.2.1/rn/VMware-Cloud-Foundation-421-Release-Notes.html
VMware vCloud Foundation 3.10.2.1
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html#3.10.2.1
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21986
FIRST CVSSv3 Calculator:
CVE-2021-21985: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-21986: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
5. Change Log
2021-05-25 VMSA-2021-0010
Initial security advisory.
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: report@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT