Important

VMSA-2021-0014
5.3-7.0
2021-07-13
2021-07-13 (Initial Advisory)
CVE-2021-21994, CVE-2021-21995
VMware ESXi updates address authentication and denial of service vulnerabilities (CVE-2021-21994, CVE-2021-21995)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware ESXi
  • VMware Cloud Foundation (Cloud Foundation)
2. Introduction

Multiple vulnerabilities in VMware ESXi were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products.

3a. ESXi SFCB improper authentication vulnerability (CVE-2021-21994)

Description

SFCB (Small Footprint CIM Broker) as used in ESXi has an authentication bypass vulnerability.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.0.

Known Attack Vectors

A malicious actor with network access to port 5989 on ESXi may exploit this issue to bypass SFCB authentication by sending a specially crafted request.

Resolution

To remediate CVE-2021-21994 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2021-21994 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Notes

SFCB service is not enabled by default on ESXi. For successful exploitation, SFCB service should be running. The status of the service can be checked by following the steps mentioned in KB1025757.

Acknowledgements

VMware would like to thank Douglas Everson of Voya Financial for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2021-21994
important
None
ESXi
6.7
Any
CVE-2021-21994
important
None
ESXi
6.5
Any
CVE-2021-21994
important
None

Impacted Product Suites that Deploy Response Matrix 3a Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2021-21994
important
Patch pending
None
Cloud Foundation (ESXi)
3.x
Any
CVE-2021-21994
important
None
3b. ESXi OpenSLP denial-of-service vulnerability (CVE-2021-21995)

Description

OpenSLP as used in ESXi has a denial-of-service vulnerability due a heap out-of-bounds read issue. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 427 on ESXi may be able to trigger a heap out-of-bounds read in OpenSLP service resulting in a denial-of-service condition.

Resolution

To remediate CVE-2021-21995 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

Workarounds for CVE-2021-21995 have been listed in the 'Workarounds' column of the 'Response Matrix' below.

Additional Documentation

None.

Notes

Per the Security Configuration Guides for VMware vSphere, VMware now recommends disabling the OpenSLP service in ESXi if it is not used. For more information, see our blog posting: https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html

Acknowledgements

VMware would like to thank VictorV(Tangtianwen) of Kunlun Lab for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi
7.0
Any
CVE-2021-21995
moderate
None
ESXi
6.7
Any
CVE-2021-21995
moderate
None
ESXi
6.5
Any
CVE-2021-21995
moderate
None

Impacted Product Suites that Deploy Response Matrix 3b Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (ESXi)
4.x
Any
CVE-2021-21995
moderate
Patch pending
None
Cloud Foundation (ESXi)
3.x
Any
CVE-2021-21995
moderate
None
4. References
5. Change Log

2021-07-13 VMSA-2021-0014
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.