CVE-2021-21981
📋 TL;DR
CVE-2021-21981 is a privilege escalation vulnerability in VMware NSX-T where local guest users can assign themselves higher RBAC privileges than authorized. This affects organizations running vulnerable versions of VMware NSX-T, potentially allowing attackers to gain administrative control over the virtualization platform.
💻 Affected Systems
- VMware NSX-T Data Center
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over NSX-T, enabling them to manipulate network configurations, access sensitive data, and compromise connected virtual infrastructure.
Likely Case
Local authenticated users escalate privileges to perform unauthorized administrative actions within NSX-T, potentially disrupting network operations or accessing restricted resources.
If Mitigated
With proper network segmentation and access controls, impact is limited to the compromised NSX-T instance without lateral movement to other systems.
🎯 Exploit Status
Requires authenticated access as a local guest user. Exploitation involves manipulating RBAC role assignments through the NSX-T interface or API.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NSX-T Data Center 3.1.2 or 2.5.3
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0006.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch from VMware's download portal. 2. Follow VMware's upgrade documentation for NSX-T. 3. Apply the patch to all NSX-T Manager nodes. 4. Restart NSX-T services as required by the upgrade process.
🔧 Temporary Workarounds
Restrict Local User Access
allLimit or remove local guest user accounts from NSX-T management interfaces
nsxcli> delete user <username>
nsxcli> show users
Network Segmentation
allIsolate NSX-T management interfaces from general user networks
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach NSX-T management interfaces
- Monitor and audit all RBAC role assignment changes in NSX-T logs
🔍 How to Verify
Check if Vulnerable:
Check NSX-T version via NSX Manager UI or CLI: nsxcli> get versionCheck Version:
nsxcli> get versionVerify Fix Applied:
Confirm version is 3.1.2 or higher for 3.x, or 2.5.3 or higher for 2.5.x📡 Detection & Monitoring
Log Indicators:
- Unexpected RBAC role assignment events
- Multiple failed privilege escalation attempts followed by successful ones
- User accounts gaining administrative privileges unexpectedly
Network Indicators:
- Unusual API calls to RBAC endpoints from non-admin users
- Multiple authentication attempts from single source to NSX-T management interface
SIEM Query:
source="nsx-t" AND (event_type="role_assignment" OR event_type="privilege_change") AND user_role="admin"