DIVD-2021-00010 - vCenter Server PreAuth RCE

Summary

On 25 May 2021, VMware published an advisory [0] due to a critical vulnerability in vCenter server. The vulnerability can be exploited by unauthenticated malicious actors to gain remote code execution (RCE) through the abuse of a vulnerability in the Virtual SAN (vSAN) Health Check plug-in which is enabled by default. This vulnerability is present in the following versions: 7.0, 6.7, 6.5, 4.x, 3.x. Publicly available exploit code has been posted online on the 3rd of June 2021.

What you can do

If you run a vulnerable vCenter server, please update to one of the following versions: 3.10.2.1, 4.2.1, 6.5 U3p, 6.7 U3n, 7.0 U2b.

Exploit code has been published and scanning activity in regards to this vulnerability has increased. It is recommended to update vCenter server and examine your logs for signs of potential abuse.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) [2] is performing a daily scan since 31 May 2021. The scope of the scan is a combination of Shodan and BinaryEdge results. The scan enumerates the version of vCenter server and tests the availability of the vulnerable vSAN API endpoint (/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData).

DIVD sends notifications about the vCenter vulnerability to system owners, for which it was analytically concluded that their system is most likely vulnerable. The following indicators have been used to conclude if a system is vulnerable:

• Enumerate vCenter server version (7.0, 6.7, 6.5, 4.x, 3.x)
• Inspect build version (patched builds are: 17958471, 18010531, 17994927)
• Check availability of API endpoint indicating possibility to exploit

Timeline

References

• [0] https://www.vmware.com/security/advisories/VMSA-2021-0010.html
• [1] https://kb.vmware.com/s/article/83829
• [2] https://www.divd.nl/