Blog Viewer

Manual Mitigation for CVE-2021-21985: VMware vCenter Server Virtual SAN Health Check plugin RCE

By Patrick Mccrudden(csp) posted 06-09-2021 10:31

  

Below are the manual mitigation for the recently published vulnerability CVE-2021-21985: VMware vCenter Server Virtual SAN Health Check plugin RCE

 

Vulnerability Description:

A vulnerability in VMware vCenter Server contains a flaw in the vSphere Client (HTML5) that is triggered as input passed to the Virtual SAN Health Check plug-in is not properly validated. With a specially crafted request to the /ui/h5-vsan/rest/ endpoint, a remote attacker can execute arbitrary commands.

 

Cloud WAF customers are already protected OOTB.

 

Below are manual mitigation steps to address CVE-2021-21985: VMware vCenter Server Virtual SAN Health Check plugin RCE (for On-Prem customers):

 

  1. Create a new manual dictionary or use an existing one
  2. Create a new signature (inside the dictionary from the previous step) with the following definition:

 

  • Signature name: 

       CVE-2021-21985: VMware vCenter Server Virtual SAN Health Check plugin RCE

  • Signature pattern: 

       part="/h5-vsan/rest/proxy/service", rgxp="(&vsanQueryUtil_setDataService|&vsanProviderUtils_setVmodlHelper)"

  •  Protocols:

       http

       https

  • Search Signature in:

       Urls

 

  1. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it  

 


#On-PremisesWAF(formerlySecuresphere)
0 comments
533 views

Permalink