VMware has massive security issues. After a vulnerability in vCenter became known in February, the next serious leak came to light. […]
VMware once again needs to plug a larger security hole in its platform. This time it has again hit vCenter, the central management platform for virtualized IT infrastructures. Release states 6.5, 6.7 and 7.0 are affected. The vulnerability, officially named CVE-2021-21985, exploits a vulnerability in vCenter’s vSAN plugin. The problem with this: This plugin is enabled by default. This also affects vCenter users who do not use this tool.
The consequences of the vulnerability can be serious. Attackers could theoretically hack through port 443 to the central host system and run arbitrary malicious code there. A firewall on this port could be the last line of defense, VMware executives write in a FAQ on the issue. “Companies that have placed their vCenter servers on networks accessible directly from the Internet may not have this line of defense and should check their systems for compromise,” the software manufacturer advises its customers. “You should also take steps to implement more perimeter security controls such as firewalls and access control lists (ACLs) at the management interfaces of your infrastructure.“
In the wake of the recent incident, VMware is sounding the alarm: “This requires your immediate attention when using vCenter Server,” it said in a blog post. Given the increasing volume of ransomware, it is safest for users to assume the worst and expect that an attacker is already somewhere on the network, on a desktop, and may even have taken control of a user account. “We strongly recommend making contingency plans and patching as soon as possible.“
VMware has already provided patches. If an update is not possible, turn off plugins in the vCenter server as a last resort. The manufacturer has already published instructions for this. However, the shutdown of the affected vSAN plugin hinders the operation and especially the monitoring of vCenter environments, warned the responsible persons. You should therefore only take the plugin out of operation for a short time. With the patches offered, VMware wants to offer its customers improved authentication when accessing vCenter plugins. Whether this works smoothly with all plugins, especially from third-party providers, can not be guaranteed.
Already in February this year, VMware was in the headlines. A vulnerability in the vSphere Client, a vCenter plugin that allows administrators to control and manage VMware products on various devices on the network, allowed hackers to take control of affected devices and execute malicious code there. Scans by security experts revealed that about 6,700 vulnerable vCenter servers were hanging on the net. Also in February 2021, it was announced that cyber criminals have exploited vulnerabilities in ESXi (CVI-2019-5544 and CVI-2020-3992) to compromise virtual machines in enterprise networks and to place it there Ransomware. The attacks began in October 2020.
In light of the recent security incidents around VMware products, the manufacturer recommended that its customers pay more attention to IT security. After all, the problems did not only concern VMware software. However, more inspection bodies would not be sufficient. It is about separating networks more efficiently. “Ransomware gangs have repeatedly demonstrated their ability to compromise corporate networks by waiting extremely patiently for a new vulnerability to then attack from within a network,” VMware officials said. Organizations should establish additional security controls and consider isolating their IT infrastructure from other parts of the enterprise network. The software manufacturer advises users to implement Zero Trust security strategies.
* Specialty business software: Business Intelligence, Big Data, CRM, ECM and ERP; support of news and title series in the print edition of COMPUTERWOCHE.