VMware has released a new security advisory VMSA-2021-0014: VMware ESXi updates address authentication and denial of service vulnerabilities (CVE-2021-21994, CVE-2021-21995).
Multiple vulnerabilities in VMware ESXi were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one important issue (CVSSv3 score 7) and one moderate issue (CVSSv3 score 5.3).
The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2021-21994 to the ESXi SFCB improper authentication vulnerability and CVE-2021-21995 to the ESXi OpenSLP denial-of-service vulnerability.
VMSA-2021-0014 – Description and Workarounds
A malicious actor with network access to port 5989 on ESXi may exploit the SFCB improper authentication vulnerability to bypass SFCB authentication by sending a specially crafted request. SFCB service is disabled by default. The service starts when you install a third-party CIM VIB, for example, when you run the esxcli software vib install -n VIBname command. You can check status and disable SFCB service using:
- vSphere Client
- select the ESXi host
- click on Configure -> Services
- click on “CIM Server”
- stop the service
- disable the service from “Startup Policy”
- Command line
- check status (chkconfig sfcbd-watchdog; /etc/init.d/sfcbd-watchdog status)
- disable service (chkconfig sfcbd-watchdog off; /etc/init.d/sfcbd-watchdog stop)
For the second vulnerability, a malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition. Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. Keep in mind that other vulnerabilities were reported too for OpenSLP service (VMSA-2019-0022, VMSA-2020-0023). As a workaround, you can disable OpenSLP service using these commands:
- Stop the SLP service on the ESXi host (/etc/init.d/slpd stop)
- Disable SLP service (esxcli network firewall ruleset set -r CIMSLP -e 0)
- Make the change persistent across reboots (chkconfig slpd off)
VMSA-2021-0014 – Affected Products and Resolutions
Both vulnerabilities affect these VMware products:
- ESXi 7.0
- install ESXi 7.0 Update 2, build 17630552
- https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-702-release-notes.html
- ESXi 6.7
- install Patch Release ESXi670-202103001, build 17700523
- https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202103001.html
- ESXi 6.5
- install Patch Release ESXi650-202107001, build 18071574
- https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202107001.html
VMware also listed the product suits which deploy affected versions of ESXi:
- VMware Cloud Foundation 4.x
- patch pending
- VMware Cloud Foundation 3.x
- install VMware Cloud Foundation 3.10.2
- https://docs.vmware.com/en/VMware-Cloud-Foundation/3.10.2/rn/VMware-Cloud-Foundation-3102-Release-Notes.html
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.
