Unauthorized RCE in VMware vCenter

===========================================================================
                         ZMCIRT Vulnerability Bulletin

                               ZMC-2021.04.06.1440
                         Unauthorized RCE in VMware vCenter
                               6 April 2021

===========================================================================
DESCRIPTION: Vulnerabilities allow non-authorized clients to execute arbitrary 
commands and send requests on behalf of the targeted server via various protocols.
VULNERABILITY:  CVE-2021-21972
OTHER VULNERABILITIES: CVE-2021-21973
TECHNICAL DETAILS:
1.	CVE-2021-21972 allows unauthorised file upload leading to remote code execution (RCE). 
2.	CVE-2021-21973 allows unauthorised server-side request forgery (SSRF) vulnerabilities.
HOW TO KNOW IF YOU’VE BEEN COMPROMISED: 
1.	Inspect for unusual access to vCenter hosts on port 443; if possible, target 
    requests for the URI paths:
  •	/ui/vropspluginui/rest/services/
  •	/ui/vropspluginui/rest/services/uploadova
For further technical details, see: https://swarm.ptsecurity.com/unauth-rce-vmware/ 

TEMPORAL MITIGATION STRATEGIES: 
1.	Prevent vCenter assets exposure to the internet:
  •	Ensure no vCenter assets are directly exposed to the internet;
  •	If vCenter assets are directly exposed to the internet, sever that access and triage 
  those hosts for indication of compromise (previous Section) 
  •	If vCenter assets are not directly exposed to the internet, ensure to prioritse 
  patching because a locally networked device could be used to exploit internal hosts through 
  means including a single phishing email.

2.	Employ a workaround to disable the vulnerable location on the server using:
  •	VMware’s knowledge base, available at: https://kb.vmware.com/s/article/82374 

3.	Use network firewalls to restrict access on port 443 to trusted hosts only.
FIX: Apply patch according to your version:
  •	vCenter Server version 7.0 should be updated version 7.0 U1c.  
  •	vCenter Server version 6.7 should be updated version 6.7 U3l.
  •	vCenter Server version 6.5 should be updated version 6.5 U3n.


 
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: incidents@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================