CVE-2021-21985

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Recent assessments:

wvu-r7 at May 28, 2021 10:35pm UTC reported:

Docked exploitability a point because a valid bean and method must be known. See the Rapid7 analysis for more context.

ETA: Cat’s out of the bag. JNDI injection PoC. I’ve confirmed it works. Here are all the beans you can use for this:

vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanFormatUtils_setUserSessionService
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanUtils_setMessageBundle
vsphereHealthProviderUtils_setVsphereHealthServiceFactory

For reference, here are all the registered beans in my environment:

advancedOptionsService
capabilityPropertyProviderImpl
ceipService
clusterDpConfigService
cnManager
computeInventoryService
configureClusterService
configureStretchedClusterService
configureVsanClusterMutationProviderImpl
connectionRetention
dataAccessController
dataService
dataServiceExtensionRegistry
datacenterInventoryService
diskGroupMutationService
diskManagementService
dpClient
dpFactory
encryptionMutationProvider
encryptionPropertyProvider
execFactory
execSettings
guardRailPropertyProviderAdapter
hciClusterService
healthCheckDelay
healthCheckTimeout
legacyVsanObjectVersionProviderImpl
localizedMessageBundle
lookupSvcClient
lsFactory
lsLocator
multiVmRestoreBacking
mvcContentNegotiationManager
mvcCorsConfigurations
mvcHandlerMappingIntrospector
mvcUriComponentsContributor
networkInventoryService
networkIpConfigProvider
obfuscationController
obfuscationService
objectReferenceService
org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0
org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1
org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2
org.springframework.context.annotation.internalAsyncAnnotationProcessor
org.springframework.context.annotation.internalAutowiredAnnotationProcessor
org.springframework.context.annotation.internalCommonAnnotationProcessor
org.springframework.context.annotation.internalConfigurationAnnotationProcessor
org.springframework.context.annotation.internalPersistenceAnnotationProcessor
org.springframework.context.annotation.internalRequiredAnnotationProcessor
org.springframework.context.annotation.internalScheduledAnnotationProcessor
org.springframework.context.event.internalEventListenerFactory
org.springframework.context.event.internalEventListenerProcessor
org.springframework.format.support.FormattingConversionServiceFactoryBean#0
org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping
org.springframework.web.servlet.handler.MappedInterceptor#0
org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter
org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0
org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping
org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0
org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0
pbmClient
pbmDataProviderImpl
pbmFactory
permissionService
physicalDisksService
proactiveTestsService
promoteActionController
proxygenController
purgeInaccessibleVmSwapObjectsProvider
restoreWorkflowBacking
sessionScheduler
singleVmRestoreBacking
ssoFactory
taskService
updateDbService
userSessionService
vcClient
vcFactory
vcPropertiesFacade
virtualObjectsDataProtectionController
virtualObjectsService
vlsiSettingsTemplate
vmConsistencyGroupPropertyProvider
vmDataProtectionPropertyProviderAdapter
vmDataProtectionSummaryController
vmDataProtectionSyncPointsController
vmDiskPlacementProvider
vmFolderInventorySerivce
vmInventoryService
vmodlContext
vmodlHelper
vsanCapabilityCacheManager
vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanClusterPropertyProviderAdapter
vsanClusterPropertyProviderAdapterImpl
vsanComponentsProviderImpl
vsanConfigPropertyProviderAdapter
vsanConfigPropertyProviderAdapterImpl
vsanConfigService
vsanDiskMappingsProvider
vsanDpInventoryHelper
vsanDpServicePitProvider
vsanExecutor
vsanFolderPropertyProviderAdapter
vsanFolderPropertyProviderAdapterImpl
vsanFormatUtils_setUserSessionService
vsanHealthProviderImpl
vsanHealthServiceMutationProviderImpl
vsanHostPropertyProviderAdapter
vsanIscsiInitiatorGroupMutationProviderImpl
vsanIscsiInitiatorGroupPropertyProviderImpl
vsanIscsiMutationProviderImpl
vsanIscsiPropertyProviderImpl
vsanIscsiTargetDataAdapter
vsanIscsiTargetDataAdapterImpl
vsanIscsiTargetMutationProviderImpl
vsanIscsiTargetPropertyProviderImpl
vsanMutationProviderImpl
vsanObjectSystemProvider
vsanPerfDiagnosticProviderImpl
vsanPerfMutationProviderImpl
vsanPerfProviderImpl
vsanPropertyProviderImpl
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanResyncingComponentsProvider
vsanResyncingComponentsRetriever
vsanResyncingIscsiTargetComponentsProvider
vsanServiceBundleActivator
vsanServiceFactory
vsanStretchedClusterMutationProviderImpl
vsanStretchedClusterPropertyProviderImpl
vsanSupportMutationProviderImpl
vsanSupportProviderImpl
vsanThreadPoolImpl
vsanUpgradeMutationProviderImpl
vsanUpgradePropertyProviderAdapter
vsanUpgradeProviderImpl
vsanUtils_setMessageBundle
vsanVirtualDisksDataProvider
vsanVirtualObjectsProvider
vsanWorkerThreadFactory
vsphereHealthProviderUtils_setVsphereHealthServiceFactory
vsphereHealthServiceFactory
vsphereHealthThreadPoolImpl
vumLoginService
vumPropertyProviderAdapter
whatIfPropertyProviderAdapter
whatIfPropertyProviderImpl
witnessCandidateInventoryService
witnessHostsProvider

Note that methodInput is still limited somewhat limited by what ProxygenSerializer can deserialize, so the JNDI injection via static method is good for arbitrary method invocation, callback notwithstanding. Jang (@testanull) points out that TypeConverter can be leveraged to work around this issue. Jang’s writeup is here.

Update: A new RCE chain writeup involving SSRF has been published [by the original researcher].

ccondon-r7 at May 26, 2021 5:41pm UTC reported:

Docked exploitability a point because a valid bean and method must be known. See the Rapid7 analysis for more context.

ETA: Cat’s out of the bag. JNDI injection PoC. I’ve confirmed it works. Here are all the beans you can use for this:

vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanFormatUtils_setUserSessionService
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanUtils_setMessageBundle
vsphereHealthProviderUtils_setVsphereHealthServiceFactory

For reference, here are all the registered beans in my environment:

advancedOptionsService
capabilityPropertyProviderImpl
ceipService
clusterDpConfigService
cnManager
computeInventoryService
configureClusterService
configureStretchedClusterService
configureVsanClusterMutationProviderImpl
connectionRetention
dataAccessController
dataService
dataServiceExtensionRegistry
datacenterInventoryService
diskGroupMutationService
diskManagementService
dpClient
dpFactory
encryptionMutationProvider
encryptionPropertyProvider
execFactory
execSettings
guardRailPropertyProviderAdapter
hciClusterService
healthCheckDelay
healthCheckTimeout
legacyVsanObjectVersionProviderImpl
localizedMessageBundle
lookupSvcClient
lsFactory
lsLocator
multiVmRestoreBacking
mvcContentNegotiationManager
mvcCorsConfigurations
mvcHandlerMappingIntrospector
mvcUriComponentsContributor
networkInventoryService
networkIpConfigProvider
obfuscationController
obfuscationService
objectReferenceService
org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0
org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1
org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2
org.springframework.context.annotation.internalAsyncAnnotationProcessor
org.springframework.context.annotation.internalAutowiredAnnotationProcessor
org.springframework.context.annotation.internalCommonAnnotationProcessor
org.springframework.context.annotation.internalConfigurationAnnotationProcessor
org.springframework.context.annotation.internalPersistenceAnnotationProcessor
org.springframework.context.annotation.internalRequiredAnnotationProcessor
org.springframework.context.annotation.internalScheduledAnnotationProcessor
org.springframework.context.event.internalEventListenerFactory
org.springframework.context.event.internalEventListenerProcessor
org.springframework.format.support.FormattingConversionServiceFactoryBean#0
org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping
org.springframework.web.servlet.handler.MappedInterceptor#0
org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter
org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0
org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping
org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0
org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0
pbmClient
pbmDataProviderImpl
pbmFactory
permissionService
physicalDisksService
proactiveTestsService
promoteActionController
proxygenController
purgeInaccessibleVmSwapObjectsProvider
restoreWorkflowBacking
sessionScheduler
singleVmRestoreBacking
ssoFactory
taskService
updateDbService
userSessionService
vcClient
vcFactory
vcPropertiesFacade
virtualObjectsDataProtectionController
virtualObjectsService
vlsiSettingsTemplate
vmConsistencyGroupPropertyProvider
vmDataProtectionPropertyProviderAdapter
vmDataProtectionSummaryController
vmDataProtectionSyncPointsController
vmDiskPlacementProvider
vmFolderInventorySerivce
vmInventoryService
vmodlContext
vmodlHelper
vsanCapabilityCacheManager
vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanClusterPropertyProviderAdapter
vsanClusterPropertyProviderAdapterImpl
vsanComponentsProviderImpl
vsanConfigPropertyProviderAdapter
vsanConfigPropertyProviderAdapterImpl
vsanConfigService
vsanDiskMappingsProvider
vsanDpInventoryHelper
vsanDpServicePitProvider
vsanExecutor
vsanFolderPropertyProviderAdapter
vsanFolderPropertyProviderAdapterImpl
vsanFormatUtils_setUserSessionService
vsanHealthProviderImpl
vsanHealthServiceMutationProviderImpl
vsanHostPropertyProviderAdapter
vsanIscsiInitiatorGroupMutationProviderImpl
vsanIscsiInitiatorGroupPropertyProviderImpl
vsanIscsiMutationProviderImpl
vsanIscsiPropertyProviderImpl
vsanIscsiTargetDataAdapter
vsanIscsiTargetDataAdapterImpl
vsanIscsiTargetMutationProviderImpl
vsanIscsiTargetPropertyProviderImpl
vsanMutationProviderImpl
vsanObjectSystemProvider
vsanPerfDiagnosticProviderImpl
vsanPerfMutationProviderImpl
vsanPerfProviderImpl
vsanPropertyProviderImpl
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanResyncingComponentsProvider
vsanResyncingComponentsRetriever
vsanResyncingIscsiTargetComponentsProvider
vsanServiceBundleActivator
vsanServiceFactory
vsanStretchedClusterMutationProviderImpl
vsanStretchedClusterPropertyProviderImpl
vsanSupportMutationProviderImpl
vsanSupportProviderImpl
vsanThreadPoolImpl
vsanUpgradeMutationProviderImpl
vsanUpgradePropertyProviderAdapter
vsanUpgradeProviderImpl
vsanUtils_setMessageBundle
vsanVirtualDisksDataProvider
vsanVirtualObjectsProvider
vsanWorkerThreadFactory
vsphereHealthProviderUtils_setVsphereHealthServiceFactory
vsphereHealthServiceFactory
vsphereHealthThreadPoolImpl
vumLoginService
vumPropertyProviderAdapter
whatIfPropertyProviderAdapter
whatIfPropertyProviderImpl
witnessCandidateInventoryService
witnessHostsProvider

Note that methodInput is still limited somewhat limited by what ProxygenSerializer can deserialize, so the JNDI injection via static method is good for arbitrary method invocation, callback notwithstanding. Jang (@testanull) points out that TypeConverter can be leveraged to work around this issue. Jang’s writeup is here.

Update: A new RCE chain writeup involving SSRF has been published [by the original researcher].

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4