If an attacker hits port 443, they could execute whatever code they please on the host operating system thanks to a vulnerability in vCenter.
VMware is urging its vCenter users to update vCenter Server versions 6.5,6.7, and 7.0 immediately, after a pair of vulnerabilities were reported privately to the company. The most pressing is CVE-2021-21985, which relates to a remote code execution vulnerability in a vSAN plugin enabled by default in vCenter that an attacker could use to run whatever they wished on the underlying host machine, provided they can access port 443. Even if users do not use vSAN, they are likely to be affected because the vSAN plugin is enabled by default. “The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server,” VMware described the issue in an advisory. In its FAQ, VMware warned that since the attacker only needs to be able to hit port 443 to conduct the attack, firewall controls are the last line of defence for users. “Organisations who have placed their vCenter Servers on networks that are directly accessible from the internet may not have that line of defence and should audit their systems for compromise,” the company states.
