VMware vCenter SSRF Vulnerability Audit

Find Vulnerable VMware vCenter Servers

VMware released a new security advisory containing details of new vCenter vulnerabilities that have been fixed. Listed as CVE-2021-21980, this arbitrary file read vulnerability in the vSphere Web Client has been given a 7.5 base CVSSv3 score. The issue lies in the vSphere Web Client (FLEX/Flash) which contains an unauthorized arbitrary file read vulnerability and allows attackers with access to port 443 in the vCenter Server to gain access to sensitive information.

Since vCenter version 7.0 does not have the vCenter Server vSphere Web Client (FLEX/Flash) component, it is not vulnerable. You can read more about this vulnerability in the vCenter vulnerability blog post.

To help you protect your environment, the report below provides an overview of all your VMware vCenter Servers along with their version and build number. Additionally, it also indicated whether a specific server is vulnerable or not. To fix the vulnerability, you'll need to update your vCenter Servers to the latest version released on 23 November for 6.7 and 13 October for 6.5.

2021-11-25:
-Fixed build number for 6.7

VMware vCenter Vulnerability Query

Select Top 1000000 tblAssets.AssetID,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.AssetName,
tblAssets.IPAddress,
tblAssetCustom.Manufacturer,
tblVmwareProductInfo.Vendor,
tblVmwareProductInfo.OsType,
tblVmwareProductInfo.Version,
tblVmwareProductInfo.Build,
Case
When tblVmwareProductInfo.Version Like '6.5%' And
Convert(bigint,tblVmwareProductInfo.Build) >= 18711281 Then 'Safe'
When tblVmwareProductInfo.Version Like '6.7%' And
Convert(bigint,tblVmwareProductInfo.Build) >= 18831016 Then 'Safe'
When tblVmwareProductInfo.Version Like '7.0%' Then 'Safe'
Else 'Vulnerable'
End As [Safe/Vulnerable],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When tblVmwareProductInfo.Version Like '6.5%' And
Convert(bigint,tblVmwareProductInfo.Build) >= 18711281 Then '#d4f4be'
When tblVmwareProductInfo.Version Like '6.7%' And
Convert(bigint,tblVmwareProductInfo.Build) >= 18831016 Then '#d4f4be'
When tblVmwareProductInfo.Version Like '7.0%' Then '#d4f4be'
Else '#ffadad'
End As backgroundcolor
From tblVmwareVcenters
Inner Join tblAssets On tblAssets.AssetID = tblVmwareVcenters.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Inner Join tblVmwareProductInfo On tblVmwareVcenters.VcenterID =
tblVmwareProductInfo.VCenterID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where (tblVmwareProductInfo.Version Like '6.5%' And tblState.Statename =
'Active') Or
(tblVmwareProductInfo.Version Like '6.7%') Or
(tblVmwareProductInfo.Version Like '7.0%')
Order By tblAssets.IPAddress,
tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit