This just in! Today, VMware released an advisor to all users of vCenter and/or VMware Cloud Foundations for two different vulnerabilities found in both the vCenter Server VMware Cloud Foundation (vCenter) products – a remote code execution (labeled as CRITICAL with a rating of 9.8) and an authentication mechanism issue (labeled as MODERATE with a rating of 6.5). VMware is strongly urging users of these products to perform the necessary actions to protect themselves against this exploits immediately.
Who Is Affected?
If you use vCenter Server 7.0, 6.7, or 6.5, or are running VCF 4.x (prior to 4.2.1) or 3.x (prior to 184.108.40.206) than you are affected by the issue. The vulnerabilities lie within plugins that come with or are added to vCenter when you deploy certain products. The plugins are:
- vRealize Operations (vROPs)
- vCenter Life-cycle Manager (vLCM)
- Site Recovery (SRM)
- VMware Cloud Director Availability (VCDA)
Now, whether you use these features/products or not, depending on your version the plugins are installed by default. vCenter 6.5, 6.7, and 7.0 all have the vROPs and and vSAN installed by default. vLCM is not application to 6.5 or 6.7, but is available by default in 7.0. SRM is an additional product, so you shouldn’t be concerned with that one unless you have integrated SRM with your vCenter(s). VCDA is installed by default in 7.0, but is an additional product and integration for 6.5 and 6.7
What Do I Do?
Well, it depends. The quick and easy question is – can you patch/upgrade? If the answer to that question is “You bet I can!”, then your solution is simple:
- For vCenter 7.0 you will need to patch up to 7.0 Update 2b
- For vCenter 6.7, you will need to patch up to 6.7 Update 3n
- For vCenter 6.5, you will need to patch up to 6.5 Update 3p
For VCF users, which isn’t as simple as patching your vCenter appliance:
- If you’re running 4.x, you’re going to need to upgrade to 4.2.1.
- If you’re running 3.x, you’re going to need to upgrade to 220.127.116.11
Okay, so you can’t patch for what ever reason. There’s workarounds that are available and highly suggested. Keep in mind that the workarounds are meant to be temporary solutions until you can patch/upgrade. Again, tem-po-ra-ry. These are some pretty serious vulnerabilities. To put it into perspective, we shared the advisory with some of our customers and they were ready to move on it immediately. To mitigate
- SSH to your VCSA and create a backup of your /etc/vmware/vsphere-ui/compatibility-matrix.xml
cp -v /etc/vmware/vsphere-ui/compatibility-matrix.xml /etc/vmware/vsphere-ui/compatibility-matrix.orig
- Edit /etc/vmware/vsphere-ui/compatibility-matrix.xml
- After the end of the ‘White List’ section and before the beginning of ‘Black List’ section insert the following lines. Look for these lines and insert “PluginPackage” statements as seen below:Before:
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
<PluginPackage id="com.vmware.vsphere.client.h5vsan" status="incompatible"/>
<PluginPackage id="com.vmware.vrUi" status="incompatible"/>
<PluginPackage id="com.vmware.vum.client" status="incompatible"/>
<PluginPackage id="com.vmware.h4.vsphere.client" status="incompatible"/>
- Save and exit
- Stop and restart the vsphere-ui services.
service-control --stop vsphere-ui
service-control --start vsphere-ui
Again, this method is meant as a temporary solution and will affect only the functionality provided by the individual plugins. Note that disabling the plugins WILL NOT protect you from the threat. You MUST mark them as ‘Incompatible’.
With a similar workaround to VMSA-2021-0002, which we wrote about here, VMware has released another advisory with similar vulnerabilities in additional plugins. These are serious threats and should be handled with haste. Normally, I like to be a bit more “playful” with my blog posts, but when it comes to security and critical advisories I prefer to get straight to the meat with my audience. Thanks for reading. If you enjoyed the post make sure you check us out at dirmann.tech and follow us on LinkedIn, Twitter, Instagram, and Facebook!
Paul Dirmann (vExpert*), VCIX-DCV, VCAP-DCV Design, VCAP-DCV Deploy, VCP-DCV, VCA-DBT, C|EH, MCSA, MCTS, MCP, CIOS, Network+, A+) is the owner and current Lead Consultant at Dirmann Technology Consultants. A technology evangelist, Dirmann has held both leadership positions, as well as technical ones architecting and engineering solutions for multiple multi-million dollar enterprises. While knowledgeable in the majority of the facets involved in the information technology realm, Dirmann honed his expertise in VMware’s line of solutions with a primary focus in hyper-converged infrastructure (HCI) and software-defined data centers (SDDC), server infrastructure, and automation. Read more about Paul Dirmann here, or visit his LinkedIn profile.