Several versions of the VMware vCenter Server are affected by a critical remote code execution flaw that is open to relatively simple exploitation. VmWare has released updates to fix the affected versions and though there is no information that attackers have exploited the flaw yet, the company is warning customers to apply the patches right away.
The vulnerability is an input-validation weakness, among the more common flaws in modern applications, and it affects versions 6.5, 6.7, and 7.0 of vCenter Server, as well as versions 3.x and 4.x of Cloud Foundation, which deploys the vulnerable versions of vCenter Server. The bug itself is actually in a plugin in the vSphere Client, but affects the server by extension.
“The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server,” the advisory says.
“A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
The VMware vSphere is one of the more popular virtualization solutions for enterprises, so the vulnerability represents a significant risk for those organizations. In its advisory, VMware said that affected customers should update right away.
“Immediately, the ramifications of this vulnerability are serious,” the advisory says.
“With the threat of ransomware looming nowadays the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing, and act accordingly. This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.”
There’s also a second, somewhat less serious vulnerability that affects the same versions of vCenter and Cloud Foundation.
“The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins,” the advisory says.
Enterprises running affected versions of the VMware software should update as soon as possible. If immediate updating isn't practical, VMware has released workarounds for each of the affcted versions, as well.