DIVD-2021-00010 - vCenter Server PreAuth RCE
|Case lead||Victor Gevers|
|Product||VMware vCenter Server|
|Versions||3.x, 4.x, 6.5, 6.7 and 7.0|
|Recommendation||The solution for this vulnerability is to upgrade VMware vCenter Server software version to one of the following versions: 126.96.36.199, 4.2.1, 6.5 U3p, 6.7 U3n, 7.0 U2b.|
|Last modified||12 Aug 2022 11:21|
On 25 May 2021, VMware published an advisory  due to a critical vulnerability in vCenter server. The vulnerability can be exploited by unauthenticated malicious actors to gain remote code execution (RCE) through the abuse of a vulnerability in the Virtual SAN (vSAN) Health Check plug-in which is enabled by default. This vulnerability is present in the following versions: 7.0, 6.7, 6.5, 4.x, 3.x. Publicly available exploit code has been posted online on the 3rd of June 2021.
What you can do
If you run a vulnerable vCenter server, please update to one of the following versions: 188.8.131.52, 4.2.1, 6.5 U3p, 6.7 U3n, 7.0 U2b.
Exploit code has been published and scanning activity in regards to this vulnerability has increased. It is recommended to update vCenter server and examine your logs for signs of potential abuse.
What we are doing
The Dutch Institute for Vulnerability Disclosure (DIVD)  is performing a daily scan since 31 May 2021. The scope of the scan is a combination of Shodan and BinaryEdge results. The scan enumerates the version of vCenter server and tests the availability of the vulnerable vSAN API endpoint (/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData).
DIVD sends notifications about the vCenter vulnerability to system owners, for which it was analytically concluded that their system is most likely vulnerable. The following indicators have been used to conclude if a system is vulnerable:
- Enumerate vCenter server version (7.0, 6.7, 6.5, 4.x, 3.x)
- Inspect build version (patched builds are: 17958471, 18010531, 17994927)
- Check availability of API endpoint indicating possibility to exploit
|25 May 2021||VMWare publishes an advisory.|
|31 May 2021||DIVD starts scanning.|
|03 Jun 2021||Exploit code published online.|
|06 Jun 2021||Notifications sent by DIVD CSIRT.|
|30 Nov 2021||Case closed as the amount of vulnerable systems online has decreased significantly.|
-  https://www.vmware.com/security/advisories/VMSA-2021-0010.html
-  https://kb.vmware.com/s/article/83829
-  https://www.divd.nl/