Thousands of VMWare vCenter Server instances still unpatched against critical flaws three weeks post-disclosure

Vulnerabilities could allow an attacker to execute commands with unrestricted privileges

Enterprises running VMware’s vCenter Server have been urged to update their systems as new research indicates that around 4,000 instances are still vulnerable to two critical security flaws disclosed three weeks ago.

The vulnerabilities were found in vSphere Client (HTML5) and each notched a CVSS score of 9.8.

They include a remote code execution (RCE) bug (CVE-2021-21985) permitting command execution with unrestricted privileges and centering on a lack of input validation in the Virtual SAN Health Check plugin, which is enabled by default.

Catch up on the latest enterprise security news

The other vulnerability (CVE-2021-21986) was found in the vSphere authentication mechanism used in multiple plugins. The upshot is that malicious actors can potentially “perform actions allowed by the impacted plug-ins without authentication”, the CVE description reads.

Even though a patch was issued by VMware on May 25, research published today (June 15) by SpiderLabs researchers reveals that more than 4,000 vCenter Server instances are still vulnerable to exploitation.

Rich pickings

vCenter Server is a centralized management utility used to manage virtual machines, ESXi hosts, and other dependent components.

VMware dominates the server virtualization market, with vSphere boasting the greatest market share and vCenter Server ranking fifth, according to Datanyze.

Using Shodan, Trustwave security researchers found 5,271 internet-facing instances of VMWare vCenter Server, with nearly four in five (76%) – 4,019 – vulnerable to the flaws based on their self-reported version and use of the vulnerable port.

RECOMMENDED Shodan founder John Matherly on IoT security and dual-purpose hacking tools

A further 950 hosts are running even older builds than the vulnerable versions, all bar eight of which are running versions that have reached their end of life.

Fortunately, despite the publication of proof-of-concept code from various sources, SpiderLabs said it has found “no exploitation of these vulnerabilities found in the wild”.

Patches and mitigations

Affected versions include vCenter Server 6.5.0 before 6.5.0 build 17994927, 6.7.0 before 6.7.0 build 18010531, and 7.0.0 before 7.0.2 build 17958471, as well as Cloud Foundation vCenter Server 3.x before 3.10.2.1 build 18015401, and 4.x before 4.2.1 build 18016307.

The patched versions of vCenter Server are 6.5 U3p, 6.7 U3n, and 7.0 U2b, while Cloud Foundation was updated in versions 3.10.2.1 and 4.2.1.

VMWare has previously issued instructions on how to disable the affected plugins aimed at organizations unable to apply the updates immediately.

The RCE flaw was discovered by ‘Ricter Z’ of Chinese infosec firm 360 Noah Lab, with the other flaw detected internally.

The Daily Swig has put additional questions to Trustwave and we will update the article if and when we hear back. 

DON’T FORGET TO READ Security researcher turns Apache Airflow into bug bounty cash cow