Vulnerability in vCenter Server
By Jeff Wehrman, Vigilant CISO
A Vigilant Threat Alerts Series
VMWare is back in the news this week after disclosing yet another Critical vulnerability. This time the vulnerability is in the vCenter Server product, a tool used for managing virtualization in large data centers.
When major vendors announce vulnerabilities and/or security issues pertaining to their software and/or hardware products and services, it can have a significant impact on IT, security, and even business teams in terms of additional risk, remediation work, time, and productivity. As you have likely noticed, the rate at which these vendor disclosures are occurring does not appear to be slowing down any time soon.
In an advisory posted on Tuesday, VMWare announced a remote code execution (RCE) vulnerability in vCenter Server’s vSphere Client (CVE-2021-21985). According to the report, vCenter machines using default configurations can allow remote execution of malicious code when port 443 is exposed to the Internet. Because of this, a malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
What Immediate Actions Are We Recommending?
Due to the Critical nature of these vulnerabilities, Vigilant strongly recommends that you ensure the security of your data and environment by immediately patching any vCenter Server systems that might be present within your environment.
If you subscribe to our managed endpoint protection (MEP) service, please make sure that the MEP agent is deployed to your servers and especially any on-premises vCenter Server systems.
What Is Vigilant Doing to Keep Your Organization Secure?
Vigilant is continuously and actively hunting within our client environments for evidence of exposure to any threats – not just ones like this. Due to the nature of these vulnerabilities, and how they are exploited by threat actors through multiple attack vectors, there is varying coverage based on the Vigilant services you subscribe to.
If you have CyberDNA® – The attacker enters a target company by remotely executing code as a result of the vCenter Server vSphere Client vulnerability, and would seek to establish network persistence and move further into the company’s environment. CyberDNA® detects this type of traffic from a network standpoint and can detect if this kind of exploit activity/traffic exists. CyberDNA® and our teams are constantly on the lookout for this kind of malicious activity so we can promptly investigate and notify our clients of additional actions to take in order to quickly mitigate/remediate the threat.
If you have MEP - The best mitigation and detections for this are primarily at the network layer, however, this is where defense-in-depth (aka a layered defense approach) comes into play. MEP would catch the follow-on activity (or other remote actions) that an attacker would take to further compromise a host running these impacted VMWare products after the initial remote exploitation of the vulnerability. Make sure that MEP is deployed to your servers including your vCenter Servers!
If you only have MEP Level I – MEP Level I does not have file system inventory, so while MEP Level I can detect and block the follow-on threat actor activity, without MEP Level II, we can’t proactively tell you if there are other artifacts from this type of attacker activity. If you would like us to scan and hunt on these systems, please reach out to your Vigilant CRS agent and request to be upgraded to MEP Level II. We can easily upgrade your MEP level I systems within minutes.
If you have MEP Level II – As MEP Level II comes with full-on system hunting and file level inventory, our hunt and endpoint teams are actively hunting for this type of activity and tracking emerging threats related to these new vulnerabilities and exploits so we can promptly investigate and notify our clients of additional actions to take in order to quickly mitigate/remediate the threat.
What Are the VMWare vCenter Server Vulnerability Details and Additional Recommended Actions for our Clients?
- Risk rating: Critical (9.8/10)
- Description: The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
Mitigations / Actions: If patching is not an immediate option, there are other mitigation options available. However, these should only be viewed and treated as temporary “stop gap” solutions and not a replacement for patching VMWare’s updates. Vigilant recommends:
Limiting or blocking external access to internet-facing vCenter Servers via:
Restricting untrusted connections to port 443 or set up a VPN to separate the vCenter Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
Blocking external access to on-premises vCenter Servers
Disabling unnecessary VMWare Plugins in vCenter Server, as outlined in the VMWare KB article below:
As described above, the best mitigation and early detection for these kinds of vulnerabilities is at the network layer. If you are only taking advantage of our managed endpoint protection service (MEP), then you potentially aren’t as protected as you could be and that is also why defense-in-depth is so important. With the right visibility into and across your network as well as your endpoints, it is easier and faster to respond to these kinds of vendor vulnerabilities and detect if/when they are exploited by malicious actors.
If you would like to learn more about CyberDNA® in order to both strengthen your security posture and reduce your security risk, please contact your Vigilant Customer Relationship Specialist (CRS) via firstname.lastname@example.org