Aperçu
VMware vCenter Server contains a critical remote code execution vulnerability in the vSphere Client (HTML5) plugin. An unauthenticated attacker with network access to port 443 can execute arbitrary commands with unrestricted privileges on the underlying host operating system. This vulnerability was actively exploited in the wild and affects a wide range of vCenter Server versions. La vulnérabilité a été divulguée le February 24, 2021. CISA a identifié CVE-2021-21972 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability exists in the vCenter Server plugin infrastructure, specifically in how it processes requests to the HTML5 vSphere Client. An attacker can craft a malicious request containing arbitrary code that is processed by a vulnerable endpoint without proper input validation or authentication checks. The flaw allows the attacker to upload arbitrary files and execute commands with SYSTEM privileges on the underlying Windows/Linux host running vCenter Server.
La vulnérabilité est classifiée comme CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) , CWE-434 (Unrestricted Upload of File with Dangerous Type) etCWE-502 (Deserialization of Untrusted Data) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows unauthenticated attackers to achieve complete system compromise. An attacker can execute arbitrary operating system commands with SYSTEM/root privileges on the vCenter Server host, leading to: complete server takeover, data theft or destruction, lateral movement within the infrastructure, deployment of ransomware, installation of persistent backdoors, and disruption of virtual infrastructure management. Since vCenter Server is typically a critical management component, its compromise enables attackers to control all virtual machines and resources within the vSphere environment.
Mitigation et contournements
Update vCenter Server to the patched versions released on March 2, 2021 or later. VMware recommends using vCenter Server Appliance (VCSA) update mechanisms or Windows vCenter Server patches available from VMware support portal. Les versions suivantes incluent les correctifs nécessaires : vCenter Server 6.5 U3g and later, vCenter Server 6.7 U3d and later, vCenter Server 7.0 U1c and later.
Comme contournements temporaires : network segmentation - restrict network access to port 443 on vcenter server to trusted management networks only. implement firewall rules to limit access to authorized administrative sources.; disable html5 vsphere client if not in use - if the legacy c# client or alternative management methods are available, disable the html5 client temporarily., et web application firewall (waf) rules - deploy waf rules to block suspicious requests to vcenter server plugin endpoints, though this is not a complete mitigation without knowing exact attack signatures..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
