CVE-2021-21985
📋 TL;DR
CVE-2021-21985 is a critical remote code execution vulnerability in VMware vSphere Client's Virtual SAN Health Check plugin. Attackers with network access to port 443 can execute arbitrary commands with unrestricted privileges on the underlying vCenter Server operating system. This affects all vCenter Server deployments with the default-enabled Virtual SAN Health Check plugin.
💻 Affected Systems
- VMware vCenter Server
- VMware Cloud Foundation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of vCenter Server allowing attackers to execute arbitrary commands with SYSTEM/root privileges, potentially leading to full domain takeover, data exfiltration, ransomware deployment, or lateral movement across the entire virtual infrastructure.
Likely Case
Attackers gain full control over vCenter Server, enabling them to manipulate virtual machines, steal credentials, deploy malware, and pivot to other systems in the environment.
If Mitigated
With proper network segmentation and access controls, impact is limited to the vCenter Server itself, though this still represents a critical breach of a management system.
🎯 Exploit Status
Multiple public exploit scripts available. Exploitation requires only network access to port 443, no authentication needed. Actively exploited in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vCenter Server 7.0 U2b, 6.7 U3n, 6.5 U3p
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0010.html
Restart Required: Yes
Instructions:
1. Download appropriate patch from VMware portal. 2. Backup vCenter Server. 3. Apply patch using vCenter Server Update Manager or manual installer. 4. Restart vCenter Server services. 5. Verify patch installation.
🔧 Temporary Workarounds
Disable Virtual SAN Health Check plugin
allTemporarily disable the vulnerable plugin to prevent exploitation while patching
# For vCenter Server Appliance (Linux):
# SSH to vCenter Server
# /usr/lib/vmware-vsphere-ui/server/bin/plugin-service.sh --action stop --name com.vmware.vsan.health
# /usr/lib/vmware-vsphere-ui/server/bin/plugin-service.sh --action unregister --name com.vmware.vsan.health
# For Windows vCenter Server:
# Navigate to C:\Program Files\VMware\vCenter Server\vsphere-ui\server\bin
# Run: plugin-service.bat --action stop --name com.vmware.vsan.health
# Run: plugin-service.bat --action unregister --name com.vmware.vsan.health
🧯 If You Can't Patch
- Immediately restrict network access to vCenter Server port 443 to only trusted management networks
- Implement strict network segmentation and firewall rules to isolate vCenter Server from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if Virtual SAN Health Check plugin is enabled and if vCenter Server version is vulnerable. Access vSphere Client and check plugin status, or check version via command line.Check Version:
# vCenter Server Appliance: cat /etc/vmware-vpx/version | grep -i version
# Windows vCenter: Check Add/Remove Programs or registryVerify Fix Applied:
Verify vCenter Server version is patched (7.0 U2b, 6.7 U3n, or 6.5 U3p) and that Virtual SAN Health Check plugin is either updated or disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP POST requests to /ui/vsan/ endpoints
- Suspicious process creation from vsphere-ui service
- Failed authentication attempts followed by successful exploitation
Network Indicators:
- Unusual outbound connections from vCenter Server
- HTTP requests to /ui/vsan/* with suspicious payloads
- Traffic to known malicious IPs from vCenter Server
SIEM Query:
source="vcenter.log" AND ("POST /ui/vsan/" OR "com.vmware.vsan.health") AND (status=200 OR status=500)🔗 References
- http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.html
- http://packetstormsecurity.com/files/163487/VMware-vCenter-Server-Virtual-SAN-Health-Check-Remote-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0010.html
- http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.html
- http://packetstormsecurity.com/files/163487/VMware-vCenter-Server-Virtual-SAN-Health-Check-Remote-Code-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2021-0010.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21985
