Report DIVD-2021-00036-vCenter Server Arbitrary File Read Vulnerability

Report DIVD-2021-00036– vCenter Server Arbitrary File Read Vulnerability

February 19th, 2022 by Gerard Janssen

Case Lead: Matthijs Koot
Researchers: Lennaert Oudshoorn and Victor Gevers

On November 23, 2021, VMware has released security updates for vCenter Server, addressing several vulnerabilities. VMware vCenter Server is a centralized management utility, used to manage multiple virtual machines from a single location (See also DIVD-2021-00010). Researchers found that VMware vCenter Server versions 6.5 or 6.7, and Cloud Foundation 3.x are vulnerable, because of an arbitrary file read, a server-side request forgery (SSRF) and a cross site scripting (XSS) vulnerability. Unauthenticated malicious actors could exploit these vulnerabilities to gain access to sensitive information.

December 3, 2021, DIVD started scanning for these versions and notified system administrators to upgrade VMware vCenter Server to the latest version as soon as possible.

Timeline

Date Description
23-11-2021 VMWare publishes security updates for vCenter Server and releases a patch.
24-11-2021 US Cybersecurity and Infrastructure Security Agency publishes a security advisory.
03-12-2021 Proof of Concept code becomes publicly available. DIVD starts scanning for (CVE-2021-21980) and detects 82 vulnerable systems worldwide.
05-12-2021 DIVD CSIRT sends mail to the owners of the vulnerable systems.
12-01-2021 DIVD scans the internet again and finds 4 vulnerable hosts. Case closed