Update VMware vCenter Server for critical vulnerability
The information below was sent to U-M IT groups on September 28, 2021. It is intended for U-M IT staff who are responsible for systems running VMware vCenter Server.
Summary
An arbitrary file upload vulnerability in the Analytics service of vCenter Server could allow for arbitrary code execution. VMware has released fixes/updates, as well as a workaround, to address the vulnerability.
Problem
An attacker with network access to port 443 can exploit the vulnerability to remotely execute code on vCenter Server.
Threats
VMware confirmed reports that CVE-2021-22005 is being exploited in the wild.
Affected Versions
vCenter Server 6.5, 6.7, and 7.0.
Action Items
The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
- Upgrade to a fixed version as quickly as possible after appropriate testing. See VMware Security Advisory VMSA-2021-0020 for patching information.
- If you are unable to upgrade to a fixed version immediately, apply the temporary workaround provided by VMware. See VMware’s workaround instructions for CVE-2021-22005.
Technical Details
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. An attacker with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash). See VMSA-2021-0020: What You Need to Know for more information.
How We Protect U-M
- ITS has applied the vCenter Server update to MiDesktop and MiServer.
- ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit, Cybersecurity & Infrastructure Security Agency, 9/24/21
- VMSA-2021-0020.1, VMware, 9/21/21
- Workaround Instructions for CVE-2021-22005 (85717), VMWare, 9/24/21
- VMSA-2021-0020: What You Need to Know, VMWare, 9/24/21
- VMSA-2021-0020: Questions & Answers, VMware, 9/24/21
- VMware security warning: Multiple vulnerabilities in vCenter Server could allow remote network access, The Daily Swig, 9/22/21
- CVE-2021-22005, Mitre, 9/21/21