This blog post was co-authored by Bob Rudis and Caitlin Condon.
What’s up?
On Feb. 23, 2021, VMware published an advisory (VMSA-2021-0002) describing three weaknesses affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation.
Before digging into the individual vulnerabilities, it is vital that all organizations that use the HTML5 VMware vSphere Client, i.e., VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2) immediately restrict network access to those clients—especially if they are not segmented off on a management network—implement the mitigation noted below, and consider performing accelerated/immediate patching on those systems.
Vulnerability details and recommendations
CVE-2021-21972 is a critical (CVSSv3 base 9.8) unauthenticated remote code execution vulnerability in the HTML5 vSphere client. Any malicious actor with access to port 443 can exploit this weakness and execute commands with unrestricted privileges.
PT Swarm has provided a detailed walkthrough of this weakness and how to exploit it.
Rapid7 researchers have independently analyzed, tested, and confirmed the exploitability of this weakness and have provided a full technical analysis.
Proof-of-concept working exploits are beginning to appear on public code-sharing sites.
Organizations should restrict access to this plugin and patch affected systems immediately (i.e., not wait for standard patch change windows).
VMware has provided steps for a temporary mitigation, which involves disabling the plugin.
CVE-20 ..
Support the originator by clicking the read the rest link below.
