The following Advisory has been published:
CVE-2021-21985 – Critical 9.8: VMware vCenter Server remote code execution
VMware has issued patches for a Remote Code Execution (RCE) vulnerability in vCenter Server (CVE-2021-21985), with a CVSSv3 score of 9.8 (Critical). To exploit this vulnerability, an attacker would need to be able to access vCenter Server over port 443. Even if an organization has not exposed vCenter Server externally, attackers can still exploit this flaw once inside a network. VMware have identified that ransomware groups could exploit this flaw once within the network. Successful exploitation would give an attacker the ability to execute arbitrary commands on the underlying vCenter host.
Proof of concept code is also now available for this vulnerability, with reporting of scanning by threat actors over the weekend.
Jisc will be carrying out Janet wide discovery scans for vCenter servers exposed to the internet with this issues.
- 7.0 prior to 7.0 U2b
- 6.7 prior to 6.7 U3n
- 6.5 prior to 6.5 U3p
Defenders are strongly advised to ensure that:
- vCenter is not internet accessible,
- they have patched this critical issue, and
- robust patching and validation processes are in place around these, and other, critical systems.
Full details and references:
- Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0010.html
- VMWare Blog: https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html
- Proof of Concept: https://github.com/alt3kx/CVE-2021-21985_PoC
- News Article on Scanning: https://www.bleepingcomputer.com/news/security/attackers-are-scanning-for-vulnerable-vmware-servers-patch-now/
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2021-21985
This alert has also been posted on CISP https://share.cisp.org.uk/groups/academia/blog/2021/06/07/security-advisory-critical-vmware-vcenter-server-remote-code-execution-cve-2021-21985.
Base score: 9.8 (Critical)
Recipients are encouraged to calculate the Environmental Score for each of their affected systems, to aid with prioritisation, a calculator is available at https://www.first.org/cvss/calculator/3.0
If you have any questions or concerns about this advisory, please contact the team on firstname.lastname@example.org