Remediating VMSA-2021-0002 – Potential Issues

In late February, VMware published their second security advisory for 2021. It contained contained three items:

  • CVE-2021-21972 – A remote code execution vulnerability in vCenter that has a CVSS score of 9.8
  • CVE-2021-21974 – A vulnerablity in OpenSLP, which is used in ESXi. This one has a CVSS score of 8.8
  • CVE-2021-21973 – Another vCenter vulnerability that was rated with a CVSS score of 5.3

Given the product versions affected, most organisations with relatively up to date virtualisation infrastructure would be at risk from these items. While testing and simulating the update process, I ran into some issues that might be worth publishing for a broader audience.

vCenter Update Manager Not Available

One of the methods for updating ESXi hosts is to use vCenter Update Manager (VUM). VUM’s functionality is exposed via the HTML 5 interface on vCenter as an Updates tab that appears when viewing certain objects in vCenter, such as ESXi hosts.

In my testing, these interface elements are not present in earlier versions of vCenter 6.5. This is because vCenter 6.5 existed at a time when VMware were progressively adding functionality to the HTML 5 interface, in preparation for the eventual end of life for Flash.

If vCenter 6.5 is updated to the latest version (which also resolves the CVE items listed at the start) then the VUM-related interface elements should appear

Another scenario I saw with this problem involved vCenter Server 6.5 on Windows. Even after updating to the latest version of vCenter, the VUM components wouldn’t be available. Given that VMware appears to have abandoned Windows as a platform option long term and the extra complexity in managing a Windows VM, the best option seems to be to migrate to a Virtual Appliance version of vCenter.

Updating ESXi Fails, Reference to Signing Certificate

The other main issue I experienced was when updating ESXi. When attempting to update using a file, it would generate an error referencing “Could not find a trusted signer”. As covered in VMware KB Article 76555, VMware changed to a newer signing certificate for these updates in 2018. If the host is running a version that is older than a certain point in time, it has no awareness of this new certificate and thus doesn’t trust it.

The workaround for this is to do an intermediate update to a version that does recognise the new certificate. Once that’s done, it’s possible to then update to the latest version.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.