This week, VMware released an update that addresses a vulnerability in vCenter Server. This vulnerability can be used to compromise vCenter Server installations and the ESXi host they manage.
The vulnerability exists in VMware Cloud Foundation, too.
About vCenter Server
VMware vCenter Server, formerly known as VirtualCenter, is the centralized management tool for the vSphere suite. vCenter Server allows for the management of multiple ESXi hosts and virtual machines (VMs) from different ESXi hosts through a single console or web application.
About the vulnerability
The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware identifies the vulnerability as CVE-2021-22048 and VMSA-2021-0025 and has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.
This vulnerability was privately reported to VMware by Yaron Zinar and Sagi Sheinfeld of Crowdstrike.
How to fix the situation
VMware has investigated and determined that the possibility of exploitation can be removed by applying a workaround. The workaround for CVE-2021-22048 is to switch from Integrated Windows Authentication (IWA) to
Call to action
As many online HOWTO’s explain how to configure vCenter Server Single Sign-on using Integrated Windows Authentication (IWA), most vCenter Server implementations are vulnerable to privilege escalation attacks.
Please switch the Single Sign-on configuration of your vCenter Server(s) to LDAPS or AD FS.