Advisory September 22, 2021

Critical vCenter Server Vulnerability Advisory – CVE-2021-22005

Obrela SOC

VMware issued a security advisory (VMSA-2021-0020) regarding a critical vulnerability in VMware vCenter Server, the server management product of virtualized hosts and virtual machines in enterprise environments. An attacker can gain access to the vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server deployment either in Windows or Linux servers.

vCenter Server file upload vulnerability (CVE-2021-22005)

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Severity: 9.8 (Critical)

Affected products and versions:

  • vCenter Server 6.7, 7.0
  • Cloud Foundation (vCenter Server) 3.x, 4.x

The official advisory issued from VMware can be found here:  https://www.vmware.com/security/advisories/VMSA-2021-0020.html

It is important to keep in mind that given the severity and the impact of this vulnerability, it is expected that exploitation can come from within the corporate network, hence administrators should make sure that a proper firewall configuration and logging are in place to detect potential insider threat or any persistent malicious entity hiding within.

Mitigation

Updates are available to remediate these vulnerabilities in affected VMware products, however to ensure quick mitigation of the issues, it is strong advised to implement the suggested workarounds as fast as possible. The provided steps in VMware’s link ensure only temporary mitigation.