PDS Cyber Security Advisory:
Advisory Regarding Vulnerabilities in ESXi, vCenter Server, and Cloud Foundation
Advisory Type: IT Security
Severity: Critical
Summary: PDS is providing the following communication to build awareness of a high priority vulnerability and patches in VMware ESXi, vCenter Server, and Cloud Foundation products.
On February 23, 2021 VMware posted advisory VMSA-2021-0002: Multiple Security Vulnerabilities disclosing that vulnerabilities exist in the following products:
- VMware ESXi
- VMware vCenter Server
- VMware Cloud Foundation
These products contain the following vulnerabilities:
vCenter Server Remote Code Execution in the vSphere Client (CVE-2021-21972) – The vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin. The issue is considered CRITICAL by VMware, with a CVSSv3 base score of 9.8. A malicious actor with access to port 443 could exploit the vulnerability to execute commands on the underlying operating system hosting vCenter Server. Updates are available to resolve the vulnerability.
ESXi OpenSLP Heap Overflow Vulnerability (CVE-2021-21974) – OpenSLP used in ESXi contains a heap-overflow vulnerability. The issue is considered IMPORTANT by VMware, with a CVSSv3 base score of 8.8. A malicious actor with access to port 427 may be able to perform remote code execution after triggering the vulnerability. Updates are available to resolve the vulnerability.
vSphere Client Contains SSRF Vulnerability (CVE-2021-21973) – The vSWphere Client (HTML5) contains an SSRF (Server-Side Request Forgery) vulnerability due to improper URL validation in a vCenter Server plugin. VMware has determined the severity to be MODERATE, with a CVSSv3 base score of 5.3. A malicious actor with access to port 443 could exploit this vulnerability by sending a POST request to the vCenter Server plugin, resulting in information disclosure. Updates are available to resolve the vulnerability.
NOTE: The vCenter Server plugin affected is the vROPs plugin and could be disabled. KB82374 contains instructions.
VMware has published updates which resolve all these vulnerabilities:
- vCenter Server v7.0 U1c, v6.7 U3l, v6.5 U3n
- ESXi versions – ESXi70U1c-17325551, ESXi670-202102401-SG, ESXi650-202102101-SG
We strongly advise customers to review the VMware advisory and patching information. PDS Architects are available to assist with the updates, your Account Director can assist in arranging support for this issue.