VMware has released fixes for several serious vulnerabilities in its vCenter Server, including a critical arbitrary file upload flaw that attackers can exploit remotely with little effort.
The bug (CVE-2021-22005) is present in versions 6.5, 6.7, and 7.0 of vCenter Server, and VMware is encouraging customers running affected versions to update as soon as they can.
“The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available,” the advisory says.
“With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.”
In order to exploit this vulnerability, an attacker would only need the ability to reach a specific port on the affected server.
“A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file,” the advisory says.
In addition to this vulnerability, VMware also released patches for more than a dozen other flaws, including a local privilege escalation in vCenter Server.
“A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash),” the VMware advisory says.
VMware also released fixes for several other privilege escalation, denial of service, and information disclosure bugs in vCenter Server and Cloud Foundation. Organizations running affected versions of the products should upgrade as soon as practical.