VMware has released patches that address a new critical security advisory, VMSA-2021-0020. This needs your immediate attention if you are using vCenter Server (if you didn’t get an email about it, please subscribe to our Security Advisories mailing list). In most cases a security advisory is straightforward, but sometimes there are nuances that are worth extra discussion. That is the case here, and the goal of this post is to help you decide your course forward.
First, if you haven’t read the original advisory or are a returning visitor here are some links to the different resources available:
This post & the questions & answers document will be updated as new information develops.
Who is affected?
VMware Security Advisories always list the specific product versions that are affected. In this case it is vCenter Server 6.5, 6.7, and 7.0.
When do I need to do something about this?
Right now. These updates fix a critical security vulnerability, and your response needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an “emergency change.” All environments are different, have different tolerance for risk, and have different security controls & defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act.
Why am I affected?
The VMSA outlines a number of issues that are resolved in this patch release. The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.
The other issues have lower CVSS scores but still may be usable to an attacker that is already inside your organization’s network. One of the biggest problems facing IT today is that attackers often compromise a desktop and/or user account on the corporate network, and then patiently & quietly use that to break into other systems over long periods of time. They steal confidential data, intellectual property, and at the end install ransomware and extort payments from their victims. Less urgent security vulnerabilities can still be potential tools in the hands of attackers, so VMware always recommends patching to remove them.
What should I do to protect myself?
First, if you can patch vCenter Server, do it. In general, this is the fastest way to resolve this problem, doesn’t involve editing files on the vCenter Server Appliance (VCSA), and removes the vulnerabilities completely. Patching also carries less technical debt and less risk than using a workaround.
If you can’t patch right away there are workarounds linked from the VMSA for the critical vulnerability, but only the critical vulnerability. This involves editing a text file on the VCSA and restarting services and is documented as part of the VMSA link above.
You may have other security controls in your environment that can help protect you until you are able to patch. Using network perimeter access controls or the vCenter Server Appliance firewall to curtail access to the vCenter Server management interfaces, for example. We always strongly suggest limiting access to vCenter Server, ESXi, and vSphere management interfaces to only vSphere Admins. Drive all other workload management activity through the VM network connections. This simplifies access control and makes the RDP or ssh management traffic subject to other security controls, such as IDS/IPS and monitoring.
In this era of ransomware it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.
Where should I go for more information?
There are a number of other places to look for more information on this issue, as well as guidance about security in vSphere:
Critical security advisories are always difficult conversations, and unfortunately part of the landscape in IT. We at VMware are always looking at what we need to do to our products to keep these advisories as uncommon occurrences, so we can go back to talking about all the positive security that vSphere offers. Please let us know what other questions we can answer. We appreciate you very much, thank you for being our customers, and hope that you and the others around you are safe and healthy.
