Critical VMware vCenter Server Flaw Can Expose Organizations to Remote Attacks

VMware on Tuesday informed customers that its vCenter Server product is affected by a critical vulnerability that can be exploited by an attacker to execute commands with elevated privileges.

vCenter Server is a management software designed to provide a centralized platform for controlling VMware vSphere environments. The critical vulnerability, discovered by Positive Technologies researcher Mikhail Klyuchnikov, impacts a vCenter Server plugin used by the vSphere Client.

The flaw, tracked as CVE-2021-21972 with a CVSS score of 9.8, can be exploited by an attacker with network access to port 443 to “to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,” VMware said in its advisory.

According to Positive Technologies, while 90 percent of vCenter devices are only accessible from within an organization’s perimeter — exploitation of the vulnerability in this case requires access to the target’s internal network — there are more than 6,000 systems that are accessible directly from the internet.

The cybersecurity firm said more than a quarter of these devices are located in the United States, followed by Germany (7%), France (6%), China (6%), the UK (4%), Canada (4%), Russia (3%), Taiwan (3%), Iran (3%), and Italy (3%).

“In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),” Positive Technologies’ Klyuchnikov explained. “The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.”

He added, “After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users). If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data. Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user.”

Klyuchnikov has also been credited for a medium-severity server-side request forgery (SSRF) flaw in vCenter Server, specifically in a plugin used by the vSphere Client. An attacker with network access to port 443 could exploit this vulnerability to obtain information — including on open ports associated with various services — that could be useful for further attacks.

VMware has also informed users about CVE-2021-21974, a high-severity heap overflow in ESXi that can be exploited by an attacker with network access to port 427 to execute arbitrary code.

The issue was reported to VMware by Lucas Leong of Trend Micro’s Zero Day Initiative (ZDI). ZDI has yet to make its own advisory for this vulnerability public.

VMware has released patches and workarounds for each of the affected products and versions.

It’s important that organizations using affected products apply the patches or workarounds since VMware product vulnerabilities being targeted by threat actors is not unheard of. The NSA warned recently that a state-sponsored threat actor linked to Russia had exploited a flaw in VMware Workspace ONE, likely even before a patch was released by the virtualization giant.

Related: VMware Patches Vulnerabilities Exploited at Chinese Hacking Contest

Related: VMware Patches Workspace ONE Access Vulnerability Reported by NSA

Related: Patch for Critical VMware ESXi Vulnerability Incomplete