19 critical vulnerabilities in VMware vCenter Server. Patch immediately

Cybersecurity specialists report multi-vulnerability detection in VMware vCenter Server, the centralized management utility for VMware deployments. According to the report, the successful exploitation of these flaws would allow threat actors to deploy all kinds of attack variants.

Below are brief descriptions of some of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-21991: The way vCenter Server handles session tokens would allow local users to escalate privileges to Administrator in the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).

This is a low severity flaw and received a CVSS score of 7.7/10.

CVE-2021-22013: An input validation error when processing directory cross-streams in the appliance management API would allow unauthenticated remote threat actors to send specially crafted HTTP requests to port 443/TCP in order to access arbitrary information on the system.

The vulnerability received a CVSS score of 6.5/10.

CVE-2021-22020: Insufficient validation of user-provided inputs in the analytics service would allow a remote hacker to send specially crafted requests in order to trigger a denial-of-service (DoS) attack.

This is a low severity flaw and received a CVSS score of 3.8/10.

CVE-2021-22019: Insufficient validation of user-provided inputs in the VAPI service would allow remote threat actors to pass a specially crafted jsonrpc message to port 5480/TCP to deploy a DoS attack.

The flaw received a CVSS score of 4.6/10.

CVE-2021-22018: Inadequate security restrictions in a VMware vSphere Life-cycle Manager plug-in would allow unauthenticated remote hackers to send a specially crafted request to port 9087/TCP and delete random files.

This vulnerability received a 5.7/10 CVSS score.

CVE-2021-22017: Improper implementation of URI normalization in rhttpproxy would allow unauthenticated remote attackers to request a specially crafted URL, evade the rhttpproxy mechanism, and access exposed endpoints.

This is a medium severity flaw and received a CVSS score of 6.4/10.

CVE-2021-22016: Improper disinfection of user-provided data would allow remote hackers to trick the victim into executing HTML code and arbitrary scripts in the context of a vulnerable website.

This is a low severity flaw and received a CVSS score of 5.3/10.

CVE-2021-22015: Incorrect use of default permissions for configuration files and folders would allow local users with system access to escalate privileges to root on the vCenter Server Appliance.

This is a medium severity flaw and received a CVSS score of 6.8/10.

CVE-2021-22014: Incorrect input validation in VAMI would allow a remotely authenticated user to send a specially crafted request to port 5480/TCP and execute arbitrary code on the target system.

The flaw received a CVSS score of 6.3/10.

According to the report, all detected flaws reside in the following implementations of vCenter Server: 6.5, 6.5 U1, 6.5 U3, 6.5 U3a, 6.5 U3b, 6.5 U3c, 6.5 U3d, 6.5 U3e, 6.5 U3f, 6.5 U3g, 6.5 U3h, 6.5 U3i, 6.5 U3j, 6.5 U3k, 6.5 U3l, 6.5 U3m, 6.5 U3n, 6.5 U3o, 6.5 U3p, 6.5.0, 6.5.0a, 6.5.0b, 6.5.0c, 6.5.0d, 6.5u2c, 6.7, 6.7 U3, 6.7 U3a, 6.7 U3b, 6.7 U3c, 6.7 U3d, 6.7 U3e, 6.7 U3f, 6.7 U3g, 6.7 U3h, 6.7 U3i, 6.7 U3k, 6.7 U3l, 6.7 U3m, 6.7 U3n, 6.7.0, 6.7.0d, 7.0, 7.0 U1a, 7.0 U1b, 7.0 U1c, 7.0 U2a & 7.0 U2b.

While some of the flaws can be exploited remotely by unauthenticated threat actors, cybersecurity experts have not detected active exploitation attempts or the existence of any malware variant associated with these scenarios. A full list of the reported security flaws is available on VMware official platforms.

Security patches are now available, so users of affected deployments are encouraged to install the updates as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.