CVE-2021-21985, CVE-2021-21986: VMware vCenter Server Remote Code Execution Vulnerability Alert
On May 26, 2021, VMware officially released a risk notice for the remote code execution vulnerability in VMware vCenter Server, which was discovered by Ricter Z, a security researcher at 360 Noah Lab. The vulnerability number is CVE-2021-21985 and CVE-2021-21986 with the CVSS score of 6.5-9.8.
VMware vCenter Server is a VMware virtualization management platform, which is widely used in enterprise private cloud intranets. By using vCenter, administrators can easily manage hundreds of virtualized environments, which also means that when they are controlled by an attacker, a large number of virtualized environments in the private cloud will be controlled by the attacker.
An attacker who can access vCenter Server through 443 can directly execute arbitrary code on the target host and take over the target host. The attack is low in complexity, requires few conditions, and does not require user interaction.
Vulnerability Detail
VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21985)
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Authentication mechanism issue in vCenter Server Plug-ins (CVE-2021-21986)
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.