VMware developers rushed to alert their customers that a critical vulnerability had been discovered in vCenter Server.
They also urge vCenter users to immediately update their software to the latest versions, where dangerous vulnerabilities were recently fixed. One of the problems is fraught with remote execution of arbitrary code and is estimated at 9.8 points out of 10 on the CVSS v3 scale.This is issue CVE-2021-21985, which is related to a vulnerability in the default Virtual SAN Health Check plugin included with vCenter. An attacker can use this bug to run whatever they want on a vulnerable host (considering that he can access port 443).
The company was warned about this vulnerability by specialists from 360 Noah Lab, who note that unauthenticated attackers can exploit this problem, and such attacks will not require any interaction with the user.
VMware reports that the vulnerable “Virtual SAN Health Check plug-in is included by default in all vCenter Server deployments, regardless of whether vSAN is in use.”
According to Shodan, there are currently over 5,600 vCenter machines available on the network. Most of them are located in large data centres, where terabytes of confidential information can potentially be stored.
Also this week, the company fixed another vulnerability in the authentication mechanism, which received the identifier CVE-2021-21986 and affects the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager and VMware Cloud Director Availability plugins. This bug is rated 6.5 on the CVSS v3 scale and allows an attacker to perform actions with plugins without authentication.
Let me also remind you that I wrote that VMware closes RCE vulnerability in ESXi and Horizon.