VMware vCenter RCE Bug Threat Intel Advisory

CloudSEK threat intelligence advisory on VMware vCenter RCE Bug, allows unauthorized actors to execute arbitrary code on a vCenter Server instance.
Updated on
April 19, 2023
Published on
March 12, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Advisory Type
Vulnerability Intelligence
CVE ID
CVE-2021-21972
CVSSv3 Score
9.8
Vulnerability Classification 
Unauthorized Remote Code Execution [RCE]
Vendor 
VMware vCenter Server 7.0, 6.7, 6.5
Affected Platforms
Windows/Linux 
 

Executive Summary

The cSphere Client contains an RCE vulnerability in a vCenter Server plugin. This gives an unauthorized actor the ability to execute arbitrary code on a vCenter Server instance. Which comes with unrestricted privileges on the underlying operating system that hosts the Server.  

Technical Details

The vulnerable plugin “vropspluginui” [ /ui/vropspluginui/ ] which is part of the vCenter Server exposes critical services without any authorization to any unauthenticated user. The service known as “uploadova” resides in the following location: /ui/vropspluginui/rest/services/uploadova  It has an unrestricted upload vulnerability with no input filtering which leads to an arbitrary file upload. The uploaded file has the same security descriptor of the server instance and has write access to internal directories. An unauthorized threat actor can remotely upload a malicious file that executes input supplied by the attacker on the remote server leading to RCE.  

Impact 

  • A threat actor with the network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
  • A threat actor can use the compromised server as a foothold to further the attack deep inside the target network.
 

Mitigations

Affected Versions
Fixed Versions
vCenter 7.0 7.0 U1c
vCenter 6.7 6.7 U3l
vCenter 6.5 6.5 U3n
  Update the affected versions to their respective patched versions. Official documentation: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations