This week, VMware released an update that finally addresses a vulnerability in vCenter Server. Since November 2021, this vulnerability could be used to compromise vCenter Server installations and the ESXi host they manage.
Note:
The vulnerability exists in VMware Cloud Foundation, too.
About vCenter Server
VMware vCenter Server, formerly known as VirtualCenter, is the centralized management tool for the vSphere suite. vCenter Server allows for the management of multiple ESXi hosts and virtual machines (VMs) from different ESXi hosts through a single console or web application.
About the vulnerability
The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware identifies the vulnerability as CVE-2021-22048 and VMSA-2021-0025. This issue falls in the Important severity range with a maximum CVSSv3 base score of 7.1.
A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.
This vulnerability was privately reported to VMware by Yaron Zinar and Sagi Sheinfeld of Crowdstrike.
About the Workaround
Since November 2021, VMware offered a workaround to the issue. The workaround for CVE-2021-22048 is to switch from Integrated Windows Authentication (IWA) to
- AD over LDAPS authentication, or
- Identity Provider Federation for AD FS (vSphere 7.0 only)
Unfortunately, for some organizations this is a workaround that is not easy to implement, as there are many interdependencies between delegation and 3rd party integrations.
About the real fix
In an update to the documentation for VMSA-2021-0025.2, VMware now offers a real fix for CVE-2021-22048 , instead of the aforementioned workaround.
For VMware vCenter Server installations running version 7.0, version 7.0 U3f, released on July 12, 2022, addresses the issue. This update also addresses VMSA-2022-0018.
For vSphere 6.5, vSphere 6.7, Cloud Foundation 3.x and Cloud Foundation 4.x, a patch is pending. As communicated as part of KB83223, the End of General Support for vSphere 6.5 and vSphere 6.7 is October 15, 2022, but VMware seems committed to provide a patch for these vCenter versions as well.
Login