February 24, 2021
Late Yesterday (23.2.2021), VMware released a new VMware Security Advisory, VMSA-2021-0002, which includes vulnerabilities of critical severity. VMware again mixes multiple CVEs with different severities affecting different products into a single VMSA. What do these CVEs have in common, and what is their impact on your infrastructure?
CVE-2021-21972 has critical severity, with a maximum CVSSv3 score of 9.8 (from a maximum possible score of 10). The description states that “a malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server”. Oh, that sounds a bit scary! It depends on how the network is architected, and more importantly, which devices can access your vCenter Server address. The attacker getting there doesn't even need to know any credentials, and they can gain full access to the vCenter server, its database, all the binaries and scripts, the whole shebang. What's the root cause of this issue? Well, the troublemaker is the ever-present vRealize Operations plugin - you are vulnerable even if you are not running vRealize Operations in your environment. The reason for the plugin existing is to make it simple to try out vRealize Operations. If you can’t patch this, the workaround is to mark the plugin as "incompatible". Folks using VROps might not like the workaround as it means that they'll not see some metrics and alerts in the HTML5 based vSphere Client.
Fortunately, fixed vCenter versions are available. The already available vCenter releases 7.0U1c and 6.7U3I already include the fix for this. An update to vCenter 6.5 was released together with the VMSA. It might be a good idea to start your upgrade engines!
CVE-2021-21973 has moderate severity, with a maximum CVSSv3 score of 5.3. The attack vector is again the problematic vROps plugin from CVE-2021-21972, but the vulnerability is less severe. An attacker can exploit this vulnerability to read the details of any plugins in vCenter. To remediate, apply the same fixes as CVE-2021-21972, and the same workaround is also valid. Hopefully, you were concerned enough and are already fixing that after reading the previous paragraph!
CVE-2021-21974 is Important. As with the other CVEs in this VMSA, an attacker needs access to access only to the management network. The OpenSLP service (also known as CIM) running on TCP port 427 on the ESXi host is vulnerable. The Service Location Protocol is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration. On ESXi, third-party hardware health monitoring services can use this. This service has suffered from several CVEs in the recent past. As vSphere no longer uses this service, the guidance in the VMware Security Configuration Guide is now that this service should be disabled by default if not required for third-party software. ESXi 7.u1C (released 17 December 2020) includes the patch to protect against this, and fixes for ESXi 6.7 and 6.5 were published yesterday (23 February 2021).
As a workaround, if you cannot patch now due to change control, you can disable the service and close the port, as is described in the VMware KB76372.
As always, defence in depth should be in place, with the management network segregated from the wider network.
The vulnerabilities are present in components that you might not necessarily need to have running, as we’ve seen. While VMware has made great efforts to make vSphere “secure by default”, it might be nice to have an easy way to disable unnecessary services. Meanwhile, you can use Runecast Analyzer to highlight configurations known to be problematic quickly.
Runecast Analyzer knowledge definition version 126.96.36.199, released today (Wednesday 24th February 2021), includes detection and reporting for this VMware Security Advisory. As always, where automatic updates are enabled, Runecast Analyzer users will receive the new definitions during the following update cycle, with offline updates available through the Runecast customer portal as usual.
As with CVEs detailed in previous VMware Security Advisories, we have taken the decision to split the announcements in the VMSA into separate findings. This approach allows greater visibility into the individual impacts and prioritises remediation efforts on the highest severity issues.
We hope that these blog posts are helpful. Sometimes, the abundance of technical information in a security advisory means that it can be hard to fully understand the impact that the vulnerabilities and the fixes might have on your environment, and we’re always happy to help. As always, you can hit us up on Twitter with any feedback!