VMware has patched a critical (CVSS 9.8) vulnerability in its widely deployed vCenter Server — a tool that provides centralised management of vSphere, a key product in modern data centers. An attacker with network access to port 443 can execute commands with unrestricted privileges on the underlying operating system.
vCenter Server lets users manage up to 70,000 VMs and 5,000 hosts. Admins can replicate roles, permissions, and licenses across data centre infrastructure. Not the sort of thing you want a bad actor to be pwning.
Allocated CVE-2021-21972, the bug was reported by Positive Technologies’ Mikhail Klyuchnikov. It is in a vCenter Server plugin for vROPs that comes in all default installations. Although an estimated 90% of VMware vCenter devices are located entirely inside the perimeter, the security firm found over 6,000 internet-facing VMware vCenter devices worldwide containing the CVE-2021-21972 vulnerability.
A quarter of these devices are located in the US (26%), followed by Germany (7%), France (6%), China (6%), Great Britain (4%), Canada (4%), Russia (3%), Taiwan (3%), Iran (3%), and Italy (3%).
“The error allows an unauthorised user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server. After receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system (such as information about virtual machines and system users).
“If the vulnerable software can be accessed from the Internet, this will allow an external attacker to penetrate the company’s external perimeter and also gain access to sensitive data. Once again, I would like to note that this vulnerability is dangerous, as it can be used by any unauthorized user.”
Users can upgrade affected installations to vCenter Server 6.5 U3n, 6.7 U3l, or 7.0 U1c. to avoid exposure. VMware has also provided a workaround. Details, along with several other VMware security advisories below.