VMSA-2021-0014:VMware ESXi updates address authentication and denial of service vulnerabilities
23606
22 August 2021
11 July 2021
CLOSED
HIGH
5.3-7.0
CVE-2021-21994,CVE-2021-21995
1. Impacted Products
- VMware ESXi
- VMware Cloud Foundation (Cloud Foundation)
2. Introduction
Multiple vulnerabilities in VMware ESXi were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products.
3a. ESXi SFCB improper authentication vulnerability (CVE-2021-21994)
Description
SFCB (Small Footprint CIM Broker) as used in ESXi has an authentication bypass vulnerability.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.0.
Known Attack Vectors
A malicious actor with network access to port 5989 on ESXi may exploit this issue to bypass SFCB authentication by sending a specially crafted request.
Resolution
To remediate CVE-2021-21994 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2021-21994 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
None.
Notes
SFCB service is not enabled by default on ESXi. For successful exploitation, SFCB service should be running. The status of the service can be checked by following the steps mentioned in KB1025757.
Acknowledgements
VMware would like to thank Douglas Everson of Voya Financial for reporting this issue to us.
Response Matrix
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
ESXi | 7.0 | Any | CVE-2021-21994 | important | None | |||
ESXi | 6.7 | Any | CVE-2021-21994 | important | None | |||
ESXi | 6.5 | Any | CVE-2021-21994 | important | None |
Impacted Product Suites that Deploy Response Matrix 3a Components:
3b. ESXi OpenSLP denial-of-service vulnerability (CVE-2021-21995)
Description
OpenSLP as used in ESXi has a denial-of-service vulnerability due a heap out-of-bounds read issue. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors
A malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition.
Resolution
To remediate CVE-2021-21995 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2021-21995 have been listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
None.
Notes
Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. For more information, see our blog posting: https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html
Acknowledgements
VMware would like to thank VictorV(Tangtianwen) of Kunlun Lab for reporting this issue to us.
Response Matrix
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
ESXi | 7.0 | Any | CVE-2021-21995 | moderate | None | |||
ESXi | 6.7 | Any | CVE-2021-21995 | moderate | None | |||
ESXi | 6.5 | Any | CVE-2021-21995 | moderate | None |
Impacted Product Suites that Deploy Response Matrix 3b Components:
4. References
VMware ESXi 7.0 ESXi70U2-17630552
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-702-release-notes.html
VMware ESXi 6.7 ESXi670-202103101-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202103001.html
VMware ESXi 6.5 ESXi650-202107401-SG
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202107001.html
VMware Cloud Foundation 4.3
Downloads and Documentation:
VMware Cloud Foundation 3.10.2
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21995
FIRST CVSSv3 Calculator:
CVE-2021-21994: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
CVE-2021-21995: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5. Change Log
2021-07-13 VMSA-2021-0014
Initial security advisory.
2021-08-24 VMSA-2021-0014.1
Added Cloud Foundation 4.x fixed version in the Response Matrix section of 3a and 3b.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2021 VMware Inc. All rights reserved.