Please take a note on this on priority if you are in VMware project or managing VMware infrastructure. This is the talk over the weekend, potential ransomware attack on VMware ESXi Servers. I have simplified the table with the base build number with fix for ease of validating your environment.
Note: This article covers only ESXi and vCenter Server (Not the VMware Cloud Foundation)
This article covers all the 3 CVEs reported as part of VMware Advisory VMSA-2021-0002. You can skip to ESXi section if you are only focused on CVE-2021-21974.
| Advisory ID | VMSA-2021-0002 |
| Issue Date | 2021-02-23 |
| CVE(s) | CVE-2021-21972, CVE-2021-21973, CVE-2021-21974 |
| Affected Products | VMware ESXi, vCenter Server and VMware Cloud Foundation (Cloud Foundation) |
VMware Reference link: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Fix for vCenter Server – For vCenter Server there are two vulnerabilities reported: (for both the fix & workaround is same). I have indicated the base build number too which has fix, so you can double check your environment to confirm if you are already in the fixed version.
To check vCenter Build number use this KB Article: https://kb.vmware.com/s/article/2143838
- VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972)
- VMware vCenter Server updates address SSRF vulnerability in the vSphere Client (CVE-2021-21973)
| Product | Version | CVE Identifier | Severity | Fixed Version | Workarounds | Base Build Number with fix |
| vCenter Server | 7.0 | CVE-2021-21972 | Critical | 7.0 U1c | KB82374 | 17327517 |
| vCenter Server | 6.7 | CVE-2021-21972 | Critical | 6.7 U3l | KB82374 | 17138064 |
| vCenter Server | 6.5 | CVE-2021-21972 | Critical | 6.5 U3n | KB82374 | 17590285 |
| Product | Version | CVE Identifier | Severity | Fixed Version | Workarounds | Base Build Number with fix |
| vCenter Server | 7.0 | CVE-2021-21973 | Moderate | 7.0 U1c | KB82374 | 17327517 |
| vCenter Server | 6.7 | CVE-2021-21973 | Moderate | 6.7 U3l | KB82374 | 17138064 |
| vCenter Server | 6.5 | CVE-2021-21973 | Moderate | 6.5 U3n | KB82374 | 17590285 |
Note: The workaround does not require restart of whole vCenter Server but instead it required restart of a service in vCenter.
——————————————————————————————————————–
Fix for ESXi – For ESXi there is one vulnerability reported. I have indicated the base build number too which has fix, so you can double check your environment to confirm if you are already in the fixed version.
- ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)
To check ESXi Build number use this KB Article: https://kb.vmware.com/s/article/2143832
| Product | Version | CVE Identifier | Severity | Fixed Version | Workarounds | Base Build Number with fix |
| ESXi | 7.0 | CVE-2021-21974 | Important | ESXi70U1c-17325551 | KB76372 | ESXi 7.0 Update 1c, Build Number: 17325551 |
| ESXi | 6.7 | CVE-2021-21974 | Important | ESXi670-202102401-SG | KB76372 | ESXi 6.7 EP 18, Build Number: 17499825 |
| ESXi | 6.5 | CVE-2021-21974 | Important | ESXi650-202102101-SG | KB76372 | ESXi 6.5 P06, Build Number: 17477841 |
Note: There is no requirement to reboot the ESXi host to disable/enable the service (for workaround)