VMware Advisory ID VMSA-2021-0010

VMware have been privately informed about multiple vulnerabilities in the vSphere Client (HTML). The vulnerabilities have been denoted as CVE-2021-21985 and CVE-2021-21986.

The vulnerabilities cover remote code execution and authentication and have been scored between 6.5-9.8 on the common vulnerability scoring system (CVSSv3), where scoring ranges from 0–10; 0 being Low and 10 being Critical.

VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21985) - CVSSv3 score of 9.8

This vulnerability affects the Virtual SAN Health Check plug-in. This plug-in is enabled by default in vCentre Server. An attacker with network access on port 443 may exploit the vulnerability to execute unrestricted privileges on the OS hosting vCenter Server. This is affecting vCentre versions 6.5, 6.7, and 7.0 as well as Cloud Foundation 3.x and 4.x on any version of operating system.

To remediate against this CVE, the versions of VMware must be updated to the following versions, available at the links below:

Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986) - CVSSv3 score of 6.5

This vulnerability affects multiple vSphere Client (HTML) plug-ins. The plugs that are affect are the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCentre Server may perform actions that these plug-ins are design to facilitate, without authentication. This is affecting vCentre versions 6.5, 6.7, and 7.0 as well as Cloud Foundation 3.x and 4.x on any version of operating system.

To remediate against this CVE, the versions of VMware must be updated to the following versions, available at the links below:

Remediation

A temporary solution to these vulnerabilities is to disable the affected plug-ins. The affect this will have is that the functions provided by the plug-ins will immediately be unavailable. To disable the plug-ins, follow the below steps.

PLEASE NOTE: It is not sufficient to disable the plugin from within the UI. The plug-ins will still be exploitable if disabled via the UI. Using the compatibility-matrix.xml file, it is possible to enter lines that force the plug-in to act as ‘incompatible’, the compatibility-matrix.xml file can be located in the following directories:

vSphere Environment Setup

vSphere Client

 vSphere Web Client

vCenter Server for Windows

 C:\ProgramData\VMware\vCenterServer\cfg\vsphere-ui

C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client

 vCenter Server Appliance

 /etc/vmware/vsphere-ui

 /etc/vmware/vsphere-client

 

 

Add the lines below to the compatibility-matrix.xml file to ‘disable’ each individual plugin:

Plugin Name

Configuration Line

VMware vRops Client Plugin

<PluginPackage id=”com.vmware.vrops.install” status=”incompatible”/>

VMware vSAN H5 Client Plugin

<PluginPackage id=”com.vmware.vsphere.client.h5vsan” status=”incompatible”/>

Site Recovery

<PluginPackage id=”com.vmware.vrUi” status=”incompatible”/>

VMware vSphere Life-cycle Manager

<PluginPackage id=”com.vmware.vum.client” status=”incompatible”/>

VMware Cloud Director Availability

<PluginPackage id=”com.vmware.h4.vsphere.client” status=”incompatible”/>

 

 

To check the status of the plug-in check the following in the vSphere Client UI under Administration > Solutions > client-plugins. The plug-ins should show as ‘incompatible’.

References

If you require further assistance, please do not hesitate to contact your Account Manager. For non-Transparity customers who require consultancy, please email us at hello@transparity.com and we’ll contact you as soon as possible.
 
 
Skip to content