<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:765274822;
mso-list-type:hybrid;
mso-list-template-ids:1717331162 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Dear RITL,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Forwarding this for awareness as some of our groups use VMware.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:#1F497D">Regards,</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif;color:#0B5AB2">Chuck Forsyth</span></b><span style="font-family:"Arial",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> University of California Information Technology Policy & Security <UCITPS-L@LISTSERV.UCOP.EDU>
<b>On Behalf Of </b>Robert Smith<br>
<b>Sent:</b> Wednesday, May 26, 2021 8:12 AM<br>
<b>To:</b> UCITPS-L@LISTSERV.UCOP.EDU<br>
<b>Subject:</b> Outreach: Critical RCE Vulnerability Found in VMware vCenter Server<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello ITPS and SIRC,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good morning.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There are about 6K instances internet facing according to Shodan:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:12.0pt;color:#7030A0">Critical RCE Vulnerability Found in VMware vCenter Server — Patch Now!<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">VMware has rolled out patches to address a critical security vulnerability in vCenter Server that could be leveraged by an adversary to execute arbitrary code on the server.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">Tracked as CVE-2021-21985 (CVSS score 9.8), the issue stems from a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which is enabled by default in the vCenter
Server. "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server," VMware said in its advisory.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">While VMware is strongly recommending customers to apply the "emergency change," the company has published a workaround to set the plug-ins as incompatible. "Disablement of these plug-ins
will result in a loss of management and monitoring capabilities provided by the plug-ins," the company noted.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">"<span style="background:yellow;mso-highlight:yellow">Organizations who have placed their vCenter Servers on networks that are directly accessible from the Internet [...] should audit
their systems for compromise</span>," VMware added. "They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure."<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">Link</span>:
<a href="https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html">
https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html</a><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">TLP: WHITE<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:12.0pt;color:#7030A0">MS-ISAC CYBERSECURITY ADVISORY<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">MS-ISAC ADVISORY NUMBER</span></b><span style="color:#7030A0">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">2021-072<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">DATE(S) ISSUED</span></b><span style="color:#7030A0">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">05/26/2021<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">SUBJECT</span></b><span style="color:#7030A0">:</span><span style="font-family:"Tahoma",sans-serif;color:#7030A0">
</span><span style="color:#7030A0"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">Multiple Vulnerabilities in VMware vCenter Server Could Allow for Remote Code Execution<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">OVERVIEW</span></b><span style="color:#7030A0">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">Multiple vulnerabilities have been discovered in VMware vCenter Server, the most severe of which could allow for remote code execution. VMware vCenter Server is a centralized management
utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. Successful exploitation of these vulnerabilities could allow an attacker to execute remote code in context of
the user running the application.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">THREAT INTELLIGENCE</span></b><span style="color:#7030A0">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0;background:yellow;mso-highlight:yellow">There are currently no reports of these vulnerabilities being exploited in the wild</span><span style="color:#7030A0">.
</span><span style="color:black">[ed. Note VMWare is stating above that there is some risk of compromise …]</span><span style="color:#7030A0"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">SYSTEMS AFFECTED:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">• VMware vCenter Server versions 6.5, 6.7, 7.0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">RISK</span></b><span style="color:#7030A0">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">Government:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-family:Symbol;color:#7030A0"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#7030A0">Large and medium government entities:
<span style="background:yellow;mso-highlight:yellow">High</span><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-family:Symbol;color:#7030A0"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#7030A0">Small government: Medium<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">Businesses:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-family:Symbol;color:#7030A0"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#7030A0">Large and medium business entities:
<span style="background:yellow;mso-highlight:yellow">High</span><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-family:Symbol;color:#7030A0"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#7030A0">Small business entities: Medium<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-family:Symbol;color:#7030A0"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#7030A0">Home users: Low<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">TECHNICAL SUMMARY</span></b><span style="color:#7030A0">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">Multiple vulnerabilities have been discovered in VMware vCenter Server, which could result in remote code execution. Details of these vulnerabilities are as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">• A remote code execution vulnerability in vCenter Server which enables a malicious actor to execute commands with unrestricted privileges. (CVE-2021-21985)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">• An authentication mechanism issue in vCenter Server Plug-ins which enable a malicious actor to perform unauthorized actions. (CVE-2021-21086)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. A pre-requisite of exploiting these vulnerabilities is that the malicious actor must have network access over port
443 to exploit these vulnerabilities. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context of the user running the application.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">RECOMMENDATIONS</span></b><span style="color:#7030A0">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">We recommend the following actions be taken:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">• Apply appropriate updates provided by VMware to vulnerable systems immediately after appropriate testing.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">• Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">• Apply the Principle of Least Privilege to all systems and services.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">REFERENCES</span></b><span style="color:#7030A0">:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#7030A0">VMware</span>:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><a href="https://www.vmware.com/security/advisories/VMSA-2021-0010.html">https://www.vmware.com/security/advisories/VMSA-2021-0010.html</a>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="color:#7030A0">CVE</span></b>:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985</a>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21986">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21986</a>
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:#0070C0">Enjoy a jocund day,</span></b><b><span style="font-size:24.0pt;font-family:"Times New Roman",serif"><o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="color:#0070C0">Robert Smith, CISSP, PMP<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#0070C0">Systemwide IT Policy Director/Security Director<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#0070C0">Information Technology Services<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#0070C0">University of California Office of the President<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#0070C0">(510) 587-6244 (o)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#0070C0">(510) 541-8103 (m)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#0070C0"><a href="mailto:robert.smith@ucop.edu"><span style="color:#0070C0">robert.smith@ucop.edu</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>