VMware vCenter Server Unauthorized Remote Code Execution
Description
VMware vCenter Server versions 6.5, 6.7, and 7.0 contain a critical remote code execution vulnerability (CVE-2021-21972) in the vSphere Client (HTML5) plugin. This unauthenticated vulnerability allows attackers to upload malicious files to arbitrary locations on the vCenter Server without requiring any credentials. The flaw exists due to improper input validation in the Virtual SAN Health Check plugin, enabling unauthorized file write operations that can lead to complete system compromise.
Remediation
Apply security patches immediately by upgrading to the following patched versions:
- vCenter Server 7.0: Upgrade to 7.0 U1c or later
- vCenter Server 6.7: Upgrade to 6.7 U3l or later
- vCenter Server 6.5: Upgrade to 6.5 U3n or later
Immediate mitigation steps if patching cannot be performed immediately:
1. Restrict network access to vCenter Server port 443 to trusted management networks only using firewall rules
2. Implement network segmentation to isolate vCenter Server from untrusted networks
3. Monitor vCenter Server logs for suspicious file upload activity to /ui/vropspluginui/rest/services/uploadova
4. Review the VMware advisory VMSA-2021-0002 for additional workarounds and detection guidance
Post-remediation actions:
- Conduct a thorough security assessment to identify any indicators of compromise
- Review vCenter Server access logs for unauthorized access attempts prior to patching
- Rotate credentials and API keys if compromise is suspected