CVE-2021-21991
📋 TL;DR
CVE-2021-21991 is a local privilege escalation vulnerability in VMware vCenter Server that allows authenticated non-administrative users to gain Administrator privileges. This affects vSphere Client (HTML5) and vCenter Server vSphere Web Client (FLEX/Flash). Organizations using vulnerable vCenter Server versions are at risk.
💻 Affected Systems
- VMware vCenter Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with valid user credentials gains full administrative control over vCenter Server, potentially compromising the entire virtual infrastructure, deploying malicious VMs, accessing sensitive data, and persisting access.
Likely Case
Malicious insider or compromised user account escalates to administrator, gains control over virtual machines and infrastructure, and potentially moves laterally to other systems.
If Mitigated
With proper network segmentation, least privilege access, and monitoring, impact is limited to the vCenter Server itself with detection of privilege escalation attempts.
🎯 Exploit Status
Exploitation requires valid user credentials but is relatively straightforward once authenticated. Multiple security researchers have published proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vCenter Server 6.5 U3n, 6.7 U3o, 7.0 U2b or later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0020.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch from VMware Customer Connect portal. 2. Backup vCenter Server configuration and database. 3. Apply the patch using vCenter Server Update Manager or manual installer. 4. Restart vCenter Server services or the entire server as required.
🔧 Temporary Workarounds
Restrict User Access
allLimit non-administrative user access to vCenter Server to only essential personnel and implement strict access controls.
Network Segmentation
allIsolate vCenter Server management network from general user networks and implement firewall rules to restrict access.
🧯 If You Can't Patch
- Implement strict least privilege access controls and monitor all user activity on vCenter Server
- Deploy network segmentation and isolate vCenter Server from general user networks
🔍 How to Verify
Check if Vulnerable:
Check vCenter Server version via vSphere Client: Navigate to Menu > Administration > Deployment > System Configuration > Nodes. Vulnerable if version is 6.5 before U3n, 6.7 before U3o, or 7.0 before U2b.Check Version:
On vCenter Server Appliance: shell> cat /etc/vmware-release. On Windows: Check Programs and Features or vCenter Server installer logs.Verify Fix Applied:
Verify version is 6.5 U3n or later, 6.7 U3o or later, or 7.0 U2b or later. Test with non-admin user attempting privilege escalation actions.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events in vCenter Server logs
- Multiple failed authentication attempts followed by successful login and privilege changes
- User accounts performing administrative actions without prior history
Network Indicators:
- Unusual authentication patterns to vCenter Server
- Multiple user sessions from same account with different privilege levels
SIEM Query:
source="vcenter" AND (event_type="privilege_escalation" OR (user_change="*" AND privilege_level="Administrator"))