Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21974: VMSA-2021-0002

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

CVE
#vulnerability#rce#ssrf#vmware#zero_day

Advisory ID: VMSA-2021-0002

CVSSv3 Range: 5.3-9.8

Issue Date: 2021-02-23

Updated On: 2021-02-23 (Initial Advisory)

CVE(s): CVE-2021-21972, CVE-2021-21973, CVE-2021-21974

Synopsis: VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)

Share this page on social media

Sign up for Security Advisories

****1. Impacted Products****

  • VMware ESXi

  • VMware vCenter Server (vCenter Server)

  • VMware Cloud Foundation (Cloud Foundation)

****2. Introduction****

Multiple vulnerabilities in VMware ESXi and vSphere Client (HTML5) were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972)****

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

To remediate CVE-2021-21972 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.

Workarounds for CVE-2021-21972 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.

VMware would like to thank Mikhail Klyuchnikov of Positive Technologies for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vCenter Server

7.0

Any

CVE-2021-21972

9.8

critical

7.0 U1c

KB82374

None

vCenter Server

6.7

Any

CVE-2021-21972

9.8

critical

6.7 U3l

KB82374

None

vCenter Server

6.5

Any

CVE-2021-21972

9.8

critical

6.5 U3n

KB82374

None

Impacted Product Suites that Deploy Response Matrix 3a Components:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (vCenter Server)

4.x

Any

CVE-2021-21972

9.8

critical

4.2

KB82374

None

Cloud Foundation (vCenter Server)

3.x

Any

CVE-2021-21972

9.8

critical

3.10.1.2

KB82374

None

****3b. ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)****

OpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

To remediate CVE-2021-21974 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.

Workarounds for CVE-2021-21974 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Lucas Leong (@_wmliang_) of Trend Micro’s Zero Day Initiative for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

[1] ESXi

7.0

Any

CVE-2021-21974

8.8

important

ESXi70U1c-17325551

KB76372

None

[1] ESXi

6.7

Any

CVE-2021-21974

8.8

important

ESXi670-202102401-SG

KB76372

None

[1] ESXi

6.5

Any

CVE-2021-21974

8.8

important

ESXi650-202102101-SG

KB76372

None

Impacted Product Suites that Deploy Response Matrix 3b Components:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

[1] Cloud Foundation (ESXi)

4.x

Any

CVE-2021-21974

8.8

important

4.2

KB76372

None

[1] Cloud Foundation (ESXi)

3.x

Any

CVE-2021-21974

8.8

important

[2] KB82705

KB76372

None

****3c. VMware vCenter Server updates address SSRF vulnerability in the vSphere Client (CVE-2021-21973)****

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.

To remediate CVE-2021-21973 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments.

Workarounds for CVE-2021-21973 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

The affected vCenter Server plugin for vROPs is available in all default installations. vROPs does not need be present to have this endpoint available. Follow the workarounds KB to disable it.

VMware would like to thank Mikhail Klyuchnikov of Positive Technologies for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vCenter Server

7.0

Any

CVE-2021-21973

5.3

moderate

7.0 U1c

KB82374

None

vCenter Server

6.7

Any

CVE-2021-21973

5.3

moderate

6.7 U3l

KB82374

None

vCenter Server

6.5

Any

CVE-2021-21973

5.3

moderate

6.5 U3n

KB82374

None

Impacted Product Suites that Deploy Response Matrix 3c Components:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Cloud Foundation (vCenter Server)

4.x

Any

CVE-2021-21973

5.3

moderate

4.2

KB82374

None

Cloud Foundation (vCenter Server)

3.x

Any

CVE-2021-21973

5.3

moderate

3.10.1.2

KB82374

None

****4. References****

****5. Change Log****

2021-02-23 VMSA-2021-0002
Initial security advisory.

****6. Contact****

Related news

Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets. "Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis. "The approach is indicative of a

CVE-2023-33953: Security Bulletins

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...

'MichaelKors' Showcases Ransomware's Fashionable VMware ESXi Hypervisor Trend

Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.

New ESXiArgs encryption routine outmaneuvers recovery methods

Categories: News Categories: Ransomware Tags: ESXi Tags: ESXiArgs Tags: encryption routine The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script (Read more...) The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.

New ESXiArgs Ransomware Variant Emerges After CISA Releases Decryptor Tool

After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB

CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

CISA Releases Recovery Script for Victims of ESXiArgs Ransomware

The malware has affected thousands of VMware ESXi hypervisors in the last few days.

VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks

Ongoing VMware ESXi Ransomware Attack Highlights Inherent Virtualization Risks

The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.

VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware

Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread

The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.

Two year old vulnerability used in ransomware attack against VMware ESXi

Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.

New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an

CVE-2022-1941: Security Bulletins  |  Customer Care  |  Google Cloud

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907