Vcenter RCE : Patch to escape

VMware is urging its vCenter users to update vCenter Server versions 6.5, 6.7,7.0 . Since a pair of Vulnerability persist in the Vcenter. CVSSv3 scores, CVE-2021-21985 hit an 9.8, while CVE-2021-21986 was scored as 6.5.

One of which is CVE-2021-21985 related to a RCE in vSAN plugin , an attacker can do whatever if he has am access to port 443. Even if no vSAN usage exist it’s affected by default

Organisations who have placed their vCenter Servers on networks that are directly accessible from the internet may not have that line of defence and should audit their systems for compromise.

VMware recommends users update vCenter, or if not possible, the company has provided instructions on how to disable vCenter Server plugins.

While vSAN will continue operating, manageability and monitoring are not possible while the plugin is disabled. A customer who is using vSAN should only consider disabling the plugin for short periods of time.

Users are warned that the patches provide better plugin authentication, and some third-party plugins may break and users are directed to contact the plugin vendor.

The second vulnerability, CVE-2021-21986, would allow an attacker to perform actions allowed by plugins without authentication.

The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins