April Vuln of the Month: CVE-2021-21972
Share with Your Network
Yesterday was Patch Tuesday, which makes today Exploit Wednesday—the day we publish our latest Vuln of the Month blog. In this month’s blog we spotlight CVE-2021-21972, a named CVE that may not already be on your radar screen, but probably should be.
This month’s vuln: CVE-2021-21972
April’s Vuln of the Month is CVE-2021-21972, which addresses a remote code execution vulnerability in a plugin of the vSphere HTML5 Client for vCenter Server. As of this writing, CVE-2021-21972 has a Kenna Risk Score of 92, making it the highest-risk vulnerability covered in this series so far.
Our research shows that CVE-2021-24094 meets many of the criteria we look for to be widely exploited, including:
- Access complexity: Low
- Potential attack surface: >400K
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: Complete
- Exploit code published: Yes
- Active exploits observed: No
As the above graph illustrates, only 0.62% of observed vulnerabilities pose a larger risk than CVE-2021-21972.
Why CVE-2021-21972 matters
While we have previously concentrated on vulnerabilities with wider installs (which usually means Windows CVEs), VSphere, VCenter Server, and VMware Cloud Foundation are essential components of virtual environments in more than 400,000 enterprises. And all of these are impacted by CVE-2021-21972.
Promptly remediating CVE-2021-21972 is advisable because a malicious actor with network access to port 443 can exploit this CVE with no credentials. PT Security, who discovered the vulnerability in November and informed VSphere maker VMware, describes the experience of testing an exploit of this vulnerability by uploading a .jsp script to the server, which then would allow attackers to remotely, and without authentication, execute arbitrary OS commands with unrestricted privileges.
Like any responsible vendor, VMware published patches and remediation instructions (along with various workarounds) on its own security advisory site. This is noteworthy because our own research shows remediation velocity is largely influenced by the timely actions of vendors in issuing patches for new CVEs. (PT Security reports that VMWare was on the case within a day of their reporting the vuln.)
Bottom line on CVE-2021-21972
The high risk score associated with this vuln suggests that this vulnerability should be patched on every impacted VMware product.
On Feb. 24, 2021, VMware published patches and links to workarounds for CVE-2021-21972 in a VMware Security Advisory.
Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our extensive vulnerability intelligence powered by machine learning.