VMware vCenter Vulnerability with Critical RCE, CVSSv3 Score 9.8 of 10
By Randy Becker, VP & Principal Security Architect
Yesterday, May 25th, VMware announced there are two new vulnerabilities in their vCenter management platform; this impacts many of the production vCenter deployments regardless of if you are using VMware Virtual SANs or not. VMware is providing a workaround and a fix for affected versions of vCenter. We recommend reading all the details on this before taking any action. Workarounds could impact functionality if you are using vSAN, so read thoroughly. Per VMware: “This needs your immediate attention if you are using vCenter Server.”
Who is impacted by this?
Customers using VMware vCenter 6.5, 6.7, and 7.0.
When do you need to do something?
Per VMware: “Right now.”
Per our usual recommendations, follow proper change control and testing to ensure there are not any negative impacts.
Do you have VMware vCenter 6.5, 6.7, and 7.0?
VMware posted two new vulnerabilities yesterday, one is (CVE-2021-21985) with a critical severity range and a CVSSv3 base score of 9.8 out of 10. The second one is (CVE-2021-21986) and contains a vulnerability in the vSphere authentication mechanism and has a CVSSv3 base score of 6.5 out of 10. The latest patches can be viewed on the VMware Security Advisories site here, under fixed Version(s) and Release Notes.
Who does this impact?
Customers using VMware vCenter 6.5, 6.7, and 7.0. There is also a helpful blog from VMware that covers much more detail on these vulnerabilities.
CVE-2021-21985 is a Remote Code Execution (RDE) vulnerability, meaning that if you are on the network, you could exploit the vulnerability if you have the exploit code. Often, people believe that because these vulnerabilities are inside the network, they are protected. In today’s world, I am a firm believer in “assume the breach” meaning that we assume the threat actors are already on the network looking and waiting to strike.
Directly from the VMware Blog. “In this era of ransomware, it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.”
What should we be doing:
• Follow proper change control processes
• Test your patches before rolling into production
• Ensure you have immutable backups of all systems. That way, if the worst happens, you have a method of recovering.
If you need help with this security threat, please reach out to your GreenPages Account Manager or reach out to us!