CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.9%
The version of VMware vCenter Server installed on the remote host is 6.7 prior to 6.7 U3o. It is, therefore, affected by multiple vulnerabilities:
- A privilege escalation vulnerability exists in vCenter Server due to the way it handles session tokens. An authenticated, local attacker can exploit this to gain unauthorized access to the system. (CVE-2021-21991, CVE-2021-22015)
- A reverse proxy bypass vulnerability exists in vCenter Server due to the way the endpoints handle the URI. An unauthenticated, remote attacker can exploit this to gain unauthorized access to restricted endpoints.
(CVE-2021-22006)
- An rhttproxy bypass vulnerability exists in vCenter Server due to improper implementation of URI normalization. An unauthenticated, remote attacker can exploit this to gain access to internal endpoints. (CVE-2021-22017)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number. Nessus has also not tested for the presence of a workaround.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(153544);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/30");
script_cve_id(
"CVE-2021-21991",
"CVE-2021-21992",
"CVE-2021-21993",
"CVE-2021-22005",
"CVE-2021-22006",
"CVE-2021-22007",
"CVE-2021-22008",
"CVE-2021-22009",
"CVE-2021-22010",
"CVE-2021-22011",
"CVE-2021-22014",
"CVE-2021-22015",
"CVE-2021-22016",
"CVE-2021-22017",
"CVE-2021-22019",
"CVE-2021-22020"
);
script_xref(name:"IAVA", value:"2021-A-0434-S");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2021/11/17");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/01/24");
script_xref(name:"CEA-ID", value:"CEA-2021-0045");
script_name(english:"VMware vCenter Server < 6.7 Multiple Vulnerabilities (VMSA-2021-0020)");
script_set_attribute(attribute:"synopsis", value:
"A virtualization management application installed on the remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of VMware vCenter Server installed on the remote host is 6.7 prior to 6.7 U3o. It is, therefore, affected
by multiple vulnerabilities:
- A privilege escalation vulnerability exists in vCenter Server due to the way it handles session tokens.
An authenticated, local attacker can exploit this to gain unauthorized access to the system.
(CVE-2021-21991, CVE-2021-22015)
- A reverse proxy bypass vulnerability exists in vCenter Server due to the way the endpoints handle the URI.
An unauthenticated, remote attacker can exploit this to gain unauthorized access to restricted endpoints.
(CVE-2021-22006)
- An rhttproxy bypass vulnerability exists in vCenter Server due to improper implementation of URI
normalization. An unauthenticated, remote attacker can exploit this to gain access to internal
endpoints. (CVE-2021-22017)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number. Nessus has also not tested for the presence of a workaround.");
script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2021-0020.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to VMware vCenter Server 6.7 U3o or later or apply the workaround mentioned in the advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-22014");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-22005");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'VMware vCenter Server Analytics (CEIP) Service File Upload');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/21");
script_set_attribute(attribute:"patch_publication_date", value:"2021/09/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/09/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vcenter_server");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("vmware_vcenter_detect.nbin");
script_require_keys("Host/VMware/vCenter", "Host/VMware/version", "Host/VMware/release");
script_require_ports("Services/www", 80, 443);
exit(0);
}
var fixes = make_array(
'6.7', '18485166' # 6.7 U3o
);
var port = get_kb_item_or_exit('Host/VMware/vCenter');
var version = get_kb_item_or_exit('Host/VMware/version');
var release = get_kb_item_or_exit('Host/VMware/release');
# Extract and verify the build number
var build = ereg_replace(pattern:"^VMware vCenter Server [0-9\\.]+ build-([0-9]+)$", string:release, replace:"\1");
if (build !~ "^[0-9]+$") audit(AUDIT_UNKNOWN_BUILD, 'VMware vCenter 6.7');
var match = pregmatch(pattern:"^VMware vCenter ([0-9]+\.[0-9]+).*$", string:version);
if (isnull(match)) audit(AUDIT_OS_NOT, 'VMware vCenter 6.7');
var ver = match[1];
if (ver !~ "^6\.7$") audit(AUDIT_OS_NOT, 'VMware vCenter 6.7');
var fixed_build = int(fixes[ver]);
if (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);
release = release - 'VMware vCenter Server ';
if (build >= fixed_build)
audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);
var report = '\n VMware vCenter version : ' + ver +
'\n Installed build : ' + build +
'\n Fixed build : ' + fixed_build +
'\n';
security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21991
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21992
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21993
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22005
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22006
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22007
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22008
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22009
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22010
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22011
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22014
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22015
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22016
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22017
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22019
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22020
www.vmware.com/security/advisories/VMSA-2021-0020.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.9%