Skip to the content.

DIVD-2021-00010 - vCenter Server PreAuth RCE

Our reference DIVD-2021-00010
Case lead Victor Gevers
Author Hidde Smit
Researcher(s)
CVE(s)
Product VMware vCenter Server
Versions 3.x, 4.x, 6.5, 6.7 and 7.0
Recommendation The solution for this vulnerability is to upgrade VMware vCenter Server software version to one of the following versions: 3.10.2.1, 4.2.1, 6.5 U3p, 6.7 U3n, 7.0 U2b.
Status Closed
Last modified 12 Aug 2022 11:21 CEST

Summary

On 25 May 2021, VMware published an advisory [0] due to a critical vulnerability in vCenter server. The vulnerability can be exploited by unauthenticated malicious actors to gain remote code execution (RCE) through the abuse of a vulnerability in the Virtual SAN (vSAN) Health Check plug-in which is enabled by default. This vulnerability is present in the following versions: 7.0, 6.7, 6.5, 4.x, 3.x. Publicly available exploit code has been posted online on the 3rd of June 2021.

What you can do

If you run a vulnerable vCenter server, please update to one of the following versions: 3.10.2.1, 4.2.1, 6.5 U3p, 6.7 U3n, 7.0 U2b.

Exploit code has been published and scanning activity in regards to this vulnerability has increased. It is recommended to update vCenter server and examine your logs for signs of potential abuse.

What we are doing

The Dutch Institute for Vulnerability Disclosure (DIVD) [2] is performing a daily scan since 31 May 2021. The scope of the scan is a combination of Shodan and BinaryEdge results. The scan enumerates the version of vCenter server and tests the availability of the vulnerable vSAN API endpoint (/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData).

DIVD sends notifications about the vCenter vulnerability to system owners, for which it was analytically concluded that their system is most likely vulnerable. The following indicators have been used to conclude if a system is vulnerable:

Timeline

Date Description
25 May 2021 VMWare publishes an advisory.
31 May 2021 DIVD starts scanning.
03 Jun 2021 Exploit code published online.
06 Jun 2021 Notifications sent by DIVD CSIRT.
30 Nov 2021 Case closed as the amount of vulnerable systems online has decreased significantly.
gantt title DIVD-2021-00010 - vCenter Server PreAuth RCE dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2021-00010 - vCenter Server PreAuth RCE (184 days) :2021-05-30, 2021-11-30 section Events VMWare publishes an advisory. : milestone, 2021-05-25, 0d DIVD starts scanning. : milestone, 2021-05-31, 0d Exploit code published online. : milestone, 2021-06-03, 0d Notifications sent by DIVD CSIRT. : milestone, 2021-06-06, 0d Case closed as the amount of vulnerable systems online has decreased significantly. : milestone, 2021-11-30, 0d

References