VMware vCenter Server vulnerability

VMWARE VCENTER SERVER VULNERABILITY CVE-2021-21972 and CVE-2021-21973

VMware issued a security update, and rated the security vulnerability with an almost maximum severity rating of 9.8 out of 10.VMware ESXi and vSphere Client (HTML5) were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

Impacted product versions and products:

  • VMware ESXi
  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)
  • 7.0 prior to 7.0 U1c
  • 6.7 prior to 6.7 U3l
  • 6.5 prior to 6.5 U3n
CVE-2021-21972 and CVE-2021-21973
CVE-2021-21972 and CVE-2021-21973

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.Impacted vCenter Server plugin for vRealize Operations (vROps)
is present in all default installations.

VMware also provides a workaround designed to remove the possibility of
exploitation for admins who cannot immediately update.
Detailed steps on implementing the workaround can be found in
VMware’s KB82374 and VMSA-2021-0002 (vmware.com) support document.

How can hackers attack

The scanning activity was spotted by threat intelligence company Bad Packets just one day after VMware patched the critical vulnerability

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts VMware vCenter Server.

Workaround

Due to this security vulnerability’s critical nature, it is strongly recommended upgrading vulnerable vCenter Server installations as soon as possible.

To patch the vulnerability, you have to upgrade affected installations to vCenter Server 6.5 U3n, 6.7 U3l, or 7.0 U1c.

Perform the following steps on VCSA Linux based appliances.

  1. Take the SSH of the VCSA Server
  2. Take the backup of the compatibility-matrix.xml file to the safe location

Location of the file

/etc/vmware/vsphere-ui/compatibility-matrix.xml

3. Content of the file is as shown below :-


 This file lets you define a WHITE LIST and a BLACK LIST Of plugins to control your own setup.
 It overrides the internal black and White lists that are hard—coded in this release.
 Fling Note: until further notice all plugins are disabled by the HTML5 client except SDK samples.
 Use this file to re—enable specific HTML plugins during your testing.
 < MatriX>
  
 <p1uginsCompatibi1ity>
  
 WHITE LIST:
 Add this to enable all plugins Whose plugin—package id is
  
         <PIuginpackage compatible"/ >
  
 Or this to specify all versions greater or equal to 2.1.Ø:
 <P1uginPackage / >
 Or this to enable all plugins starting with com.acme:
  
 <PIuginpackage
 BLACK LIST:
 Add this to disable a plugin Whose plugin—package id is com.acme.example.myplugin:
         <PIuginpackage incompatible" / >
 pluginsCompatibi1ity>
 < / MatriX>
   

4. Using VI editor add the following lines

<Matrix>
<pluginsCompatibility>
  . . . . 
  . . . . 
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>

</pluginsCompatibility>
</Matrix>
compatibility-matrix
compatibility-matrix

5. Restart the service vsphere service using the command

root@localhost#service-control --restart vsphere-ui 

6. Open the browser and enter the URL https://<VC-IP-or-FQDN>/ui/vropspluginui/rest/services/checkmobregister

404 Page Not Found error
404 Page Not Found error

7. Open the vsphere Web HTML client ,the VMware vROPS Client plugin can be seen as “incompatible”

VMware vROPS Client plugin
VMware vROPS Client plugin

Perform the following steps on Windows-based vCenter Server .

  1. Take the access of the Windows Server where vcenter is deployed.
  2. Take the backup of the compatibility-matrix.xml file to the safe location

Location of the file

C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui\compatibility-matrix.xml

3. Content of the file is as shown below :-

 This file lets you define a WHITE LIST and a BLACK LIST Of plugins to control your own setup.
 It overrides the internal black and White lists that are hard—coded in this release.
 Fling Note: until further notice all plugins are disabled by the HTML5 client except SDK samples.
 Use this file to re—enable specific HTML plugins during your testing.
 < MatriX>
  
 <p1uginsCompatibi1ity>
  
 WHITE LIST:
 Add this to enable all plugins Whose plugin—package id is
  
         <PIuginpackage compatible"/ >
  
 Or this to specify all versions greater or equal to 2.1.Ø:
 <P1uginPackage / >
 Or this to enable all plugins starting with com.acme:
  
 <PIuginpackage
 BLACK LIST:
 Add this to disable a plugin Whose plugin—package id is com.acme.example.myplugin:
         <PIuginpackage incompatible" / >
 pluginsCompatibi1ity>
 < / MatriX>
   

4. Using VI editor add the following lines

<Matrix>
<pluginsCompatibility>
  . . . . 
  . . . . 
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>

</pluginsCompatibility>
</Matrix>

5.The file should look like below:

compatibility-matrix
compatibility-matrix

6.. Restart the service vsphere service using the command

C:\Program Files\VMware\vCenter Server\bin> service-control --restart vsphere-ui

7.Open the browser and enter the URL https://ui/vropspluginui/rest/services/checkmobregiste

404 Page Not Found error
404 Page Not Found error

8.Open the vsphere Web HTML client ,the VMware vROPS Client plugin can be seen as “incompatible”

VMware vROPS Client plugin
VMware vROPS Client plugin

Leave a Reply