Vulnerability of remote code execution vCenter
Company VMWare In its latest update, it attempted to fix a very dangerous remote code execution vulnerability with a Degree of danger 9.8 out of 10 With ID CVE-2021-21972 In service vCenter It is an infrastructure management server.
Hackers can use this vulnerability to execute arbitrary code on virtual infrastructure and all servers without the need for logins and passwords.
Server vCenter Allows network administrators to manage and access all network hosts and virtual machines through a centralized console.
-
Estimates show that more than 6750 servers are vulnerable vCenter They are currently available and at risk through the Internet, and given the importance and position of such servers in the network structure, access to it means access to a large part of the organization’s infrastructure.
-
More than 180 vulnerable servers vCenter are endangered inside Iran.
-
The code for exploiting this vulnerability has now been made public and this issue needs to be disconnected. vCenter From the Internet as soon as possible and then use the latest version vCenter Multiplies.
According to VMware «This vulnerability is present in a plugin that is by default on clients vSphere (HTML5) There are installations» an intruder with access to port 443 can exploit this vulnerability and execute remote commands without the need for any approval from the user and with the highest possible level of access.
The vulnerable plugin in question, plugin vRealize Operations (vROPs) Which is by default on clients vSphere (HTML5) Is installed.
Vulnerability testing method
To test for vulnerability, you can download the following file (robwillisinfo) Download and run the following command on Powershell Tested vCenter Show yourself:
powershell.exe -ExecutionPolicy Bypass vCenter-CVE-2021-21972-Checker.ps1 -targethosts {IP} -o {OUTPUT FILE} -f
Security recommendations
To fix this vulnerability you can patch published on vCenter Install:
|
Product |
Version |
Running On |
CVE Identifier |
CVSSv3 |
Severity |
Fixed Version |
Workarounds |
|---|---|---|---|---|---|---|---|
|
vCenter Server |
7.0 |
Any |
CVE-2021-21972 |
CRITICAL |
|||
|
vCenter Server |
6.7 |
Any |
CVE-2021-21972 |
CRITICAL |
|||
|
vCenter Server |
6.5. |
Any |
CVE-2021-21972 |
CRITICAL |
Even if the above patch is applied, our strong suggestion is that Never service vCenter Do not publish on the Internet due to its extreme sensitivity.
Temporary solution
If for any reason you can not install the patch, disable the plugin vROPs You can fix the problem temporarily:
-
Relationship SSH With vCSA Establish.
-
From the file
compatibility-matrix.xmlTake a backup.-
Linux:
/etc/vmware/vsphere-ui/compatibility-matrix.xml -
Windows:
C:
\ ProgramData \ VMware \ vCenterServer \ cfg \ vsphere-ui \
compatibility-matrix.xml
-
-
Modify the contents of the file this way: (Add the bolded line)
<Matrix> <pluginsCompatibility> ... <PluginPackage id="com.vmware.vrops.install" status="incompatible"/> </pluginsCompatibility> </Matrix>
-
With the following command service vsphere-ui Reset:
-
Linux:
service-control
--restart vsphere-ui -
Windows:
C:
\ Program Files \ VMware \ vCenter Server \ bin> service-control
--restart vsphere-ui
-
-
Go to the address to ensure the solution is effective:
https:
//<srv-name>/ ui / vropspluginui / rest / services /
checkmobregister -
If the solution is applied correctly, with a message
[404] Page not foundYou will encounter red. -
Plus from within the web interface, in the section
Administration>plugin
Solutions> client-pluginsVMwarewith Title
vROPS ClientincompatibleWill be displayed.