Data centers around the world have a new concern to contend with—a remote code vulnerability in a widely used VMware product.
The security flaw, which VMware disclosed and patched on Tuesday, resides in the vCenter Server, a tool used for managing virtualization in large data centers. vCenter Server is used to administer VMware’s vSphere and ESXi host products, which by some rankings are the first and second most popular virtualization solutions on the market. Enlyft, a site that provides business intelligence, shows that more than 43,000 organizations use vSphere.
A VMware advisory said that vCenter machines using default configurations have a bug that, in many networks, allows for the execution of malicious code when the machines are reachable on a port that is exposed to the Internet. The vulnerability is tracked as CVE-2021-21985 and has a severity score of 9.8 out of 10.
“The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server,” Tuesday’s advisory stated. “VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8… A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
In response to the frequently asked question “When do I need to act?” company officials wrote, “Immediately, the ramifications of this vulnerability are serious.”
Independent researcher Kevin Beaumont agreed.
“vCenter is a virtualization management software,” he said in an interview. “If you hack it, you control the virtualization layer (e.g., VMware ESXi)—which allows access before the OS layer (and security controls). This is a serious vulnerability, so organizations should patch or restrict access to the vCenter server to authorized administrators.”
Shodan, a service that catalogs sites available on the Internet, shows that there are almost 5,600 public-facing vCenter machines. Most or all of those reside in large data centers potentially hosting terabytes of sensitive data. Shodan shows that the top users with vCenter servers exposed on the Internet are Amazon, Hetzner Online GmbH, OVH SAS, and Google.
CVE-2021-21985 is the second vCenter vulnerability this year to carry a 9.8 rating. Within a day of VMware patching the vulnerability in February, proof-of-concept exploits appeared from at least six different sources. The disclosure set off a frantic round of mass Internet scans as attackers and defenders alike searched for vulnerable servers.
vCenter versions 6.5, 6.7, and 7.0 are all affected. Organizations with vulnerable machines should prioritize this patch. Those who can’t install immediately should follow Beaumont’s workaround advice. VMware has more workaround guidance here.
VMware credited Ricter Z of 360 Noah Lab for reporting this issue.