On September 21, 2021, VMware disclosed multiple vulnerabilities—including an arbitrary file upload vulnerability—that exists within the vCenter Server and Cloud Foundation. Patches and workarounds are available, including a remediation for the remote file upload vulnerability.
VMware states that all 19 vulnerabilities were privately disclosed, and that the arbitrary file upload vulnerability impacts all vCenter Server 6.7 and 7.0 deployments. VMware believes that exploits will be developed quickly and highly recommends patching as soon as possible.
Alert Logic has already applied patches to mitigate this vulnerability in internal infrastructure.
Vulnerability description
The disclosed vulnerabilities run the array of arbitrary file upload (with a CVSS v3 base score of 9.8) and local privilege escalation (CVSS v3 base score of 7.8) to SSRF, XSS, and denial of service (DoS) vulnerabilities. Also, depending on the vulnerability, this may affect vCenter Server 6.5, 6.7, and 7.0.
The critical vulnerabilities that can be exploited remotely require that vCenter be reachable on the network via port 443, while other specific vulnerabilities require ports 5480 and 9087.
VMware’s advisory covering these vulnerabilities denotes the following 19 assigned CVE numbers as:
– CVE-2021-21991: vCenter Server local privilege escalation vulnerability
- CVSS v3 base score of 8.8
- Update available to patch
– CVE-2021-21992: vCenter Server XML parsing (DoS) vulnerability
- CVSS v3 base score of 6.5
- Update available to patch
– CVE-2021-21993: vCenter Server SSRF vulnerability
- CVSS v3 base score of 4.3
- Update available to patch
– CVE-2021-22005: vCenter Server file upload vulnerability
- CVSS v3 base score of 9.8
- Requires network access to port 443
- Both a patch and workaround are available
- vCenter Server 6.5 not impacted
– CVE-2021-22006: vCenter Server reverse proxy bypass vulnerability
- CVSS v3 base score of 8.3
- Requires network access to port 443
- Update available to patch
– CVE-2021-22007: vCenter Server local information disclosure vulnerability
- CVSS v3 base score of 5.5
- Update available to patch
– CVE-2021-22008: vCenter Server information disclosure vulnerability
- CVSS v3 base score of 5.3
- Requires network access to port 443
- Update available to patch
– CVE-2021-22009: vCenter Server VAPI multiple DoS vulnerabilities
- CVSS v3 base score of 5.3
- Requires network access to port 443
- Update available to patch
– CVE-2021-22010: vCenter Server VPXD DoS vulnerability
- CVSS v3 base score of 5.3
- Requires network access to port 443
- Update available to patch
- Only vCenter Server 6.5 is impacted
– CVE-2021-22011: vCenter Server unauthenticated API endpoint vulnerability
- CVSS v3 base score of 8.1
- Requires network access to port 443
- Update available to patch
– CVE-2021-22012: vCenter Server unauthenticated API information disclosure vulnerability
- CVSS v3 base score of 7.5
- Requires network access to port 443
- Update available to patch
– CVE-2021-22013: vCenter Server file path traversal vulnerability
- CVSS v3 base score of 7.5
- Requires network access to port 443
- Update available to patch
- Only vCenter Server 6.5 is impacted
– CVE-2021-22014: vCenter Server authenticated code execution vulnerability
- CVSS v3 base score of 7.2
- Requires network access to port 5480
- Update available to patch
– CVE-2021-22015: vCenter Server improper permission local privilege escalation vulnerabilities
- CVSS v3 base score of 7.8
- Update available to patch
– CVE-2021-22016: vCenter Server reflected XSS vulnerability
- CVSS v3 base score of 7.5
- Update available to patch
- Only vCenter Server 6.7 is impacted
– CVE-2021-22017: vCenter Server rhttpproxy bypass vulnerability
- CVSS v3 base score of 7.3
- Requires network access to port 443
- Update available to patch
- vCenter Server 7.0 is not impacted
– CVE-2021-22018: vCenter Server file deletion vulnerability
- CVSS v3 base score of 6.5
- Requires network access to port 9087
- Update available to patch
- Only vCenter Server 7.0 is impacted
– CVE-2021-22019: vCenter Server DoS vulnerability
- CVSS v3 base score of 5.2
- Requires network access to port 5480
- Update available to patch
– CVE-2021-22020: vCenter Server analytics service DoS Vulnerability
- CVSS v3 base score of 5.0
- Requires network access to port 443
- Update available to patch
Customers who use vCenter 6.7 and 7.0, and especially those that have Port 443 exposed to the Internet, are urged to patch immediately. Customers running vCenter 6.5 are still urged to patch, but they are not affected by the most severe vulnerability (CVE-2021-22005).
More information on the vulnerabilities, their assigned CVE and CVSS scores, and how to patch can be found here.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic is researching this threat to develop appropriate scan coverage.
Network IDS: Alert Logic is actively working on deploying IDS signatures for this vulnerability.
Web Application Firewall: Alert Logic is actively researching to determine whether web application coverage is appropriate for this threat.
Log Management: Alert Logic has deployed initial telemetry signatures to aid in detection research. Alert Logic is actively researching this threat to determine whether signatures can be developed to detect attacks.
Recommendations for Mitigation
VMware has released both a patch and workarounds that address the critical vulnerabilities; however, this does not mitigate all the CVEs denoted in the advisory. Customers that leverage vCenter are urged to read VMware’s advisory and guidance on applying the patches or workarounds.
Updates
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
Comments
0 comments
Please sign in to leave a comment.