The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.
Known Attack Vectors
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
The vCenter team has investigated CVE-2021-21972 and CVE-2021-21973 and have determined that the possibility of exploitation can be removed by performing the steps detailed in the 'workaround' section of this article. This workaround is meant to be a temporary solution until updates documented in VMSA-2021-0002 can be deployed.
Step 1: SSH into the vSphere appliance (10.10.x.x)
- If you receive a “connection refused” message, log into the vSphere Appliance Management console and enable SSH.
o Navigate to https://10.10.x.x:5480
o Authenticate with username/password
o Navigate to “Access”, then click “EDIT” and enable “SSH Login”
Step 2: Launch BASH by typing the “shell” command
Step 3: View the file below
Step 4: Edit the .xml file by adding the following line:
<PluginPackage id="com.vmware.vrops.install" status="incompatible"/>
Step 5: The file should look like the image below
Step 6: Restart the vsphere-ui service in Putty
#service-control --restart vsphere-ui
Step 7: Navigate to https://10.10.x.x:5480/ui/vropspluginui/rest/services/checkmobregister. The page should display 404/Not Found error (as shown below).
Step 8: Confirm that the VMware vROPS Client Plugin status is “Incompatible”
- Navigate to https://10.10.x.x
- Authenticate with username/password
- Go to Menu/Administration and click on Client Plug-Ins under the “Solutions” section.