On May 25, a critical vulnerability reported which affects vCenter Server 6.5, 6.7 and 7.0 and VMware Cloud Foundation 3.x and 4.x. With access to port 443 of vCenter Server, an attacker may exploit this issue to execute commands with unrestricted privileges on the operating system that hosts vCenter Server. This issue arise because of lack of input validation in vSAN Health Check plug-in.
According to VMware Advisory, “The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server”. Beside patching the vCenter Server to 6.5 Update 3p, 6.7 Update 3n or 7.0 Update 2b, you can also disable vSAN Health Check Plugin.
The published patch release fixes an authentication issue in the vSphere Client that affects Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.
To disable VMware vSAN plugin, you basically need to connect to VCSA through SSH and modify the compatibility-matrix.xml file and restart vCenter services. For a detailed step-by-step guide to disable vSAN plugin, please refer to VMware’s KB83829 article.
One last thing is to make sure that access to vCenter Server and other management interfaces and IP addresses are restricted with use of dedicated Management VLAN and related segmentation mechanism. This way, you can filter unnecessary access to management elements.
You can also read a detailed blog post by Bob Plankers from VMware which explains all the related details about this critical security advisory.