Below are the manual mitigation for the recently published vulnerability CVE-2021-21985: VMware vCenter Server Virtual SAN Health Check plugin RCE
Vulnerability Description:
A vulnerability in VMware vCenter Server contains a flaw in the vSphere Client (HTML5) that is triggered as input passed to the Virtual SAN Health Check plug-in is not properly validated. With a specially crafted request to the /ui/h5-vsan/rest/ endpoint, a remote attacker can execute arbitrary commands.
Cloud WAF customers are already protected OOTB.
Below are manual mitigation steps to address CVE-2021-21985: VMware vCenter Server Virtual SAN Health Check plugin RCE (for On-Prem customers):
- Create a new manual dictionary or use an existing one
- Create a new signature (inside the dictionary from the previous step) with the following definition:
CVE-2021-21985: VMware vCenter Server Virtual SAN Health Check plugin RCE
part="/h5-vsan/rest/proxy/service", rgxp="(&vsanQueryUtil_setDataService|&vsanProviderUtils_setVmodlHelper)"
http
https
Urls
- Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it
#On-PremisesWAF(formerlySecuresphere)