VMware is urging its customers to update vCenter Server versions 6.5, 6.7 and 7.0 immediately after fixing two vulnerabilities that could allow attackers to launch remote code execution attacks.
The most severe bug is tracked as CVE-2021-21985 which lies in the vSphere Client. This flaw involves a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default in the system.
The vSAN system is a software-defined storage platform that's used to eliminate the need for additional storage boxes using the local server storage. The health check plugin enhances customer support and user experience by allowing customers to manage their virtual deployments, including dozens of automated health checks.
The vulnerability is rated 9.8 on the CVSS threat severity scale and could allow hackers with network access to port 443 to execute commands with unrestricted privileges on the operating system that hosts vCenter Server. The high base score suggests the effects are particularly devastating, and the vulnerability is relatively easy to exploit.
The second vulnerability, tracked as CVE-2021-21986, is less severe, but nonetheless would allow attackers with network access to port 443 on vCenter Server to perform actions allowed by the impacted plugins without authentication.
This vulnerability concerns a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plugins in the vSphere Client.
The bugs are extremely serious, VMware has warned, and customers are being advised to patch immediately.
"With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly," the firm says in its FAQs.
"This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence."
RELATED RESOURCE
Five lessons learned from the pivot to a distributed workforce
Improve employee experience and support IT teams for a more adaptable distributed workforce
The issue affects all vCenter Server customers, not just those who use vSAN, because this plugin is shipped with all systems and is enabled by default. The company doesn't advise disabling the vSAN plugin, because manageability and monitoring will not be possible, and customers using vSAN should only disable the plugin for short periods of time.
Warning of the dangers, VMware said in its FAQs that customers without perimeter security controls on their virtualisation infrastructure may be in jeopardy. Ransomware gangs, particularly, have demonstrated they can compromise corporate networks and subsequently wait for new vulnerabilities in order to attack from inside a network.
The fear is very real given that ransomware operators had previously exploited critical ESXi and vSphere Client flaws, with Carbon Spider and Sprite Spider gangs exploiting the flaws to encrypt virtual machines (VMs).
-
Two years on from its Series B round, Hack the Box is targeting further growthNews Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
-
Dragging your feet on Windows 11 migration? Rising infostealer threats might change thatNews With the clock ticking down to the Windows 10 end of life deadline in October, organizations are dragging their feet on Windows 11 migration – and leaving their devices vulnerable as a result.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
