Data centers around the world face a new problem – a remote code vulnerability in a widely used VMware product.
The vulnerability that VMware reported and patched on Tuesday is in vCenter Server, a tool for managing virtualization in large data centers. VCenter Server manages VMware’s vSphere and ESXi host products, which, according to some rankings, are the first and second most popular virtualization solutions on the market. Enlyft, a website that provides business intelligence, shows that more than 43,000 companies are using vSphere.
A VMware notice states that vCenter computers with standard configurations have a bug that allows malicious code to run on many networks if the computers can be reached through a port exposed to the Internet. The vulnerability is tracked as CVE-2021-21985 and has a severity level of 9.8 out of 10.
“The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server,” said Tuesday’s recommendation. “VMware has rated the severity of this issue as critical with a maximum base CVSSv3 score of 9.8. A malicious actor with network access to port 443 could exploit this issue to execute commands with full authority on the underlying operation of the system hosting vCenter Server. “
In response to the frequently asked question “When should I act?” Company employees wrote, “The impact of this vulnerability is immediate and severe.”
Independent researcher Kevin Beaumont agreed.
“VCenter is virtualization management software,” he said in an interview. “When you hack it, you are controlling the virtualization layer (ex. VMware ESXi) which allows pre-OS access (and security controls). This is a serious security vulnerability. Therefore, companies should patch or restrict access to the vCenter server to authorized administrators. “
Shodan, a service that catalogs websites available on the Internet, shows that there are nearly 5,600 publicly accessible vCenter computers. Most or all of them are located in large data centers that may contain terabytes of sensitive data. Shodan shows that the top users with vCenter servers available on the internet are Amazon, Hetzner Online GmbH, OVH SAS and Google.
CVE-2021-21985 is the second vCenter vulnerability this year with a rating of 9.8. Proof-of-concept exploits from at least six different sources were published within a day of VMware fixing the vulnerability in February. The disclosure sparked a frantic round of mass internet scans as attackers and defenders alike searched for vulnerable servers.
vCenter versions 6.5, 6.7, and 7.0 are all affected. Organizations with vulnerable computers should prioritize this patch. Those who cannot install right away should follow Beaumont’s workaround advice. VMware provides additional workaround guidance here.
VMware credited Ricter Z of 360 Noah Lab for reporting this issue.