Enterprises running VMware’s vCenter Server have been urged to update their systems as new research indicates that around 4,000 instances are still vulnerable to two critical security flaws disclosed three weeks ago.
The vulnerabilities were found in vSphere Client (HTML5) and each notched a CVSS score of 9.8.
They include a remote code execution (RCE) bug (CVE-2021-21985) permitting command execution with unrestricted privileges and centering on a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default.
The other vulnerability (CVE-2021-21986) was found in the vSphere authentication mechanism used in multiple plugins. The upshot is that malicious actors can potentially “perform actions allowed by the impacted plug-ins without authentication”, the CVE description reads.
Even though a patch was issued by VMware on May 25, research published today (June 15) by SpiderLabs researchers reveals that more than 4,000 vCenter Server instances are still vulnerable to exploitation.
Rich pickings
vCenter Server is a centralized management utility used to manage virtual machines, ESXi hosts, and other dependent components.
VMware dominates the server virtualization market, with vSphere boasting the greatest market share and vCenter Server ranking fifth, according to Datanyze.
Using Shodan, Trustwave security researchers found 5,271 internet-facing instances of VMWare vCenter Server, with nearly four in five (76%) – 4,019 – vulnerable to the flaws based on their self-reported version and use of the vulnerable port.
A further 950 hosts are running even older builds than the vulnerable versions, all bar eight of which are running versions that have reached their end of life.
Fortunately, despite the publication of proof-of-concept code from various sources, SpiderLabs said it has found “no exploitation of these vulnerabilities found in the wild”.
Patches and mitigations
Affected versions include vCenter Server 6.5.0 before 6.5.0 build 17994927, 6.7.0 before 6.7.0 build 18010531, and 7.0.0 before 7.0.2 build 17958471, as well as Cloud Foundation vCenter Server 3.x before 3.10.2.1 build 18015401, and 4.x before 4.2.1 build 18016307.
The patched versions of vCenter Server are 6.5 U3p, 6.7 U3n, and 7.0 U2b, while Cloud Foundation was updated in versions 3.10.2.1 and 4.2.1.
VMWare has previously issued instructions on how to disable the affected plugins aimed at organizations unable to apply the updates immediately.
The RCE flaw was discovered by ‘Ricter Z’ of Chinese infosec firm 360 Noah Lab, with the other flaw detected internally.
The Daily Swig has put additional questions to Trustwave and we will update the article if and when we hear back.
Source: https://portswigger.net/daily-swig/thousands-of-vmware-vcenter-server-instances-still-unpatched-against-critical-flaws-three-weeks-post-disclosure
