CVE-2021-22012
📋 TL;DR
CVE-2021-22012 is an information disclosure vulnerability in VMware vCenter Server's unauthenticated appliance management API. Attackers with network access to port 443 can exploit this to access sensitive information without authentication. This affects all organizations running vulnerable vCenter Server versions.
💻 Affected Systems
- VMware vCenter Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of vCenter Server environment including access to configuration data, credentials, and sensitive infrastructure information leading to lateral movement across virtual infrastructure.
Likely Case
Unauthorized access to sensitive configuration information, system details, and potentially credentials that could be used for further attacks.
If Mitigated
Limited information exposure with proper network segmentation and access controls in place.
🎯 Exploit Status
Simple HTTP requests to the vulnerable API endpoint can trigger the information disclosure. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vCenter Server 6.5 U3p, 6.7 U3q, 7.0 U2c or later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0020.html
Restart Required: Yes
Instructions:
1. Download appropriate patch from VMware portal. 2. Backup vCenter Server. 3. Apply patch using vCenter Server Update Manager or CLI. 4. Restart vCenter Server services.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to vCenter Server port 443 to trusted management networks only
Firewall Rules
allImplement firewall rules to block unauthorized access to vCenter Server appliance management API
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vCenter Server from untrusted networks
- Monitor for unauthorized access attempts to vCenter Server port 443 and investigate any suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check vCenter Server version via vSphere Client or SSH to appliance and run 'vmware -v'Check Version:
ssh root@vcenter-server 'vmware -v'Verify Fix Applied:
Verify version is patched (6.5 U3p, 6.7 U3q, 7.0 U2c or later) and test API endpoint access📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API requests to appliance management endpoints
- Multiple failed authentication attempts followed by successful information disclosure
Network Indicators:
- Unusual traffic patterns to vCenter Server port 443 from unauthorized sources
- HTTP requests to /api/appliance/* endpoints without authentication
SIEM Query:
source="vcenter-logs" AND (uri_path="/api/appliance/*" AND http_status=200) AND NOT (src_ip IN [trusted_management_ips])