Report DIVD-2021-00036-vCenter Server Arbitrary File Read Vulnerability

Report DIVD-2021-00036-vCenter Server Arbitrary File Read Vulnerability

Written on 19 Feb 2022 by Gerard Janssen

Case lead: Matthijs Koot
Researchers: Lennaert Oudshoorn , Victor Gevers
Case file: DIVD-2021-00036

On November 23, 2021, VMware has released security updates for vCenter Server, addressing several vulnerabilities. VMware vCenter Server is a centralized management utility, used to manage multiple virtual machines from a single location (See also DIVD-2021-00010). Researchers found that VMware vCenter Server versions 6.5 or 6.7, and Cloud Foundation 3.x are vulnerable, because of an arbitrary file read, a server-side request forgery (SSRF) and a cross site scripting (XSS) vulnerability. Unauthenticated malicious actors could exploit these vulnerabilities to gain access to sensitive information.

December 3, 2021, DIVD started scanning for these versions and notified system administrators to upgrade VMware vCenter Server to the latest version as soon as possible.


Date Description
23-11-2021 VMWare publishes security updates for vCenter Server and releases a patch.
24-11-2021 US Cybersecurity and Infrastructure Security Agency publishes a security advisory.
03-12-2021 Proof of Concept code becomes publicly available. DIVD starts scanning for (CVE-2021-21980) and detects 82 vulnerable systems worldwide.
05-12-2021 DIVD CSIRT sends mail to the owners of the vulnerable systems.
12-01-2021 DIVD scans the internet again and finds 4 vulnerable hosts. Case closed