Another critical bug impacts all VMware vCenter Server installs

Pierluigi Paganini May 26, 2021

VMware addresses a critical remote code execution (RCE) flaw in the Virtual SAN Health Check plug-in that impacts all vCenter Server installs.

VMware has released security updates to address a remote code execution (RCE) flaw in vCenter Server that could be exploited by attackers to execute arbitrary code on the installs.

vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location.

The flaw, tracked as CVE-2021-21985, is caused by the lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in the vCenter Server. The vulnerability has received a CVSS score of 9.8 and impacts vCenter Server 6.5, 6.7, and 7.0.

“The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.” reads the advisory published by the virtualization giant. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”

According to the virtualization giant, a remote attacker can exploit the issue to gain access to a vCenter installs exposed online, whether a customer uses vSAN or not.

“there is a remote code execution vulnerability in the vSAN plugin, which ships as part of vCenter Server. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not.” reads a blog post published by the company.

This vulnerability was reported by Ricter Z of 360 Noah Lab.

VMware provides workarounds as a temporary solution to address the following issues:

  • CVE-2021-21972 – VMSA-2021-0002 (vRealize Operations Manager Plugin)
  • CVE-2021-21985 – VMSA-2021-0010 (Virtual SAN Health Check Plugin)
  • CVE-2021-21986 – VMSA-2021-0010 (Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability Plugins)

“Plugins must be set to “incompatible.” Disabling a plugin from within the UI does not prevent exploitation.” reads the advisory published by VMware. “The following actions must be performed on both the active and passive nodes in environments running vCenter High Availability (VCHA).”

In February, VMware has addressed a critical remote code execution (RCE) vulnerability in the vCenter Server virtual infrastructure management platform, tracked as CVE-2021-21972, that could be exploited by attackers to potentially take control of affected systems.

The CVE-2021-21972 issue was reported by Mikhail Klyuchnikov from Positive Technologies, it has received a CVSSv3 base score of 9.8/ 10 according to VMware’s security advisory.

The issue affects the plugin for vROPs which is available in all default installations. vROPs does not need to be present to have this endpoint available. The virtualization giant has provided workarounds to disable it.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-21985)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment