Getty Images

CISA: VMware Patches Critical Server Flaw, Warns of Ransomware Threat

A new CISA alert urges entities to apply the software update provided by VMware, which will patch a critical flaw in all server deployments.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released an alert for a recent software update from VMware. A critical flaw in vCenter Server platforms could allow a remote attacker to take control of an affected system.

“In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” VMware Technical Architect Bob Plankers, explained in the advisory.

“This advisory is only for vCenter Server, so that lessens the impact of patching (versus updating all hosts),” he added. “vCenter Server is the management interface for vSphere, and restarting it does not impact workload availability, just the ability to manage the workloads.”

With a severity ranking of 9.8 out of 10, the CVE-2021-21985 and CVE-2021-21986 vulnerabilities need immediate attention. The affected product versions include vCenter Server 6.5, 6.7, and 7.0.

The concern is that the impacted servers are in widespread use and used to administer the vendor’s vSphere and ESXi host products.

Specifically, a remote code execution flaw exists within the vSphere Client due to the lack of an input validation within the Virtual SAN Health Check plugin, enabled by default in the vCenter Server.

As a result, an attacker with network access to port 443 could exploit the vulnerability and execute commands through unrestricted privileges on the impacted operating system.

“This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not,” Plankers explained.

The second flaw exists in the vSphere authentication mechanism in the SAN Health Check, Site Recovery, vSphere Lifecycle manager, and Cloud Director Availability plugins. While given just a moderate severity ranking, a hacker with port 443 access could perform functions via the plugins without authentication.

The software update closes these security gaps and improves the plugin framework to improve enforcement of authentication. It may cause some third-party plugins to stop working, but VMware has reached out to its partners, which are working to test plugins and remedy the issues.

VMware officials warned that in light of the heightened threat landscape, patch management should be a top priority for enterprise organizations. Patching the flaw is the quickest way to resolve the security issue by completely removing the vulnerability from the server.

“These updates fix a critical security vulnerability, and it needs to be considered at once,”explained Plankers. “Organizations that practice change management using the ITIL definitions of change types would consider this an ‘emergency change.’”

“All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act,” he added.

Those entities that can’t immediately apply the patch should review provided mitigation and workaround strategies, which include disabling the impacted plugins by editing a file within the platform and restarting the device.

After the system administrator applies the patch, the plugins will need to be re-enabled.

Other potential workarounds include using Site Recovery to disable the impacted plugin, or disabling the vSAN plugin altogether. However, VMware warned that in doing so, an entity will lose all monitoring, management, and alarms. As such, the method is not recommended by the vendor.

VMware also provided patch management recommendations to support with software updates. Given the healthcare sector’s struggles with patching, the insights can support safe patching processes.

The recommendations include making sure the time settings are correct on the appliance, as many patching issues can be tied back to incorrect time synchronization. Other suggestions involve reviewing file-based backup and restoration configurations, taking a snapshot of the platform before updating, and minimizing the number of plugins installed on the server.

“Most organizations employ good security strategies, such as defense-in-depth, zero trust and isolation, good password and account hygiene, etc., and these tactics help immensely when a security vulnerability is disclosed,” officials explained.

“Organizations who have placed their vCenter Servers on networks that are directly accessible from the Internet may not have that line of defense and should audit their systems for compromise,” they added. “They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure.”

Next Steps

Dig Deeper on Cybersecurity strategies