VMware has revealed a critical bug that can be exploited to achieve unauthenticated remote code execution in the very core of a virtualised system – vCenter Server.
The culprit is the vSphere HTML5 client, which by default includes the Virtual SAN Health plugin – even if you don’t run a VMware VSAN. That plugin lacks input validation and the result, as explained by VMware’s advisory this week, is: “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
As vCenter is the tool with which VMware users drive their fleets of virtual machines, the bug is rated a 9.8 out of 10 in severity.
VMware urges instant patching. In a blog post about the bug, technical marketer Bob Plankers wrote: “Organizations that practice change management using the ITIL definitions of change types would consider this an emergency change.”
The problem, assigned CVE-2021-21985, is found in vCenter Server 6.5, 6.7, and 7.0. It also impacts Cloud Foundation versions 3.x and 4.x.
But wait, there’s more!
VMware has also reported CVE-2021-21986, an authentication mechanism vulnerability in the vSphere HTML 5 client that is also bad news for the Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plugins.
An unauthenticated attacker with access to the same port 443 could make the plugins dance to their tune. And seeing as the Site Recovery plugin is a disaster recovery tool, The Register shudders at the possibilities if an attacker managed to both introduce ransomware and mess with recovery infrastructure.
Every vendor has bugs and plenty of them are nasty. But this is the second critical flaw found in the vSphere HTML5 client this year alone. The first, revealed in February, was also rated 9.8.
The client also had a long and difficult development history, requiring more than two years to match the functionality of a Flash-based tool and a justifiably unloved C# client.
Adding further complications, VMware has extended the supported lifespan of some vCenter versions that shipped with the Flash client, meaning those who persist with those versions will also need to maintain old-school browsers that still support Adobe’s dangerous Flash-rendering code. ®