VMware has released patches to address critical security vulnerabilities in vCenter Servers that could be leveraged by an adversary to execute arbitrary code on the server.

CVE-2021-21985 (CVSS 9.8) – This vulnerability stems from a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in the vCenter Server. “A malicious actor with network access to port 443 may exploit this vulnerability to execute commands with unrestricted privileges on the operating system hosting vCenter’s Server.

VMware vCenter Server is a server management utility used to control virtual machines, ESXi hosts, and other dependent components from a single centralized location. The flaw affects vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation versions 3.x and 4.x.

The patch solves an authentication issue in the vSphere Client that affects Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins (CVE-2021-21986, CVSS 6.5) which allows threat actors to carry out actions permitted by the plug-ins without needing any authentication.

VMware is recommending customers apply the emergency patch, but they’ve also published a workaround to set the plug-ins as incompatible.

“Organizations who have placed their vCenter Servers on Networks that are directly accessible from the Internet should audit their systems for compromise,” VMware suggested.

SpearTip’s engineers are actively monitoring this vulnerability and making necessary updates to keep partners secure. This is one of the best reasons to have a Security Operations Center as a Service (SOCaaS). At any moment in the day, our Security Operations Center is operating and engineers are ready to assist in improving your organization’s security.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.