VMware informed customers today that vCenter Server 8.0 (the latest version) is still waiting for a patch to address a high-severity privilege escalation vulnerability disclosed in November 2021.
This security flaw (CVE-2021-22048) was found by CrowdStrike’s Yaron Zinar and Sagi Sheinfeld in vCenter Server’s IWA (Integrated Windows Authentication) mechanism, and it also affects VMware’s Cloud Foundation hybrid cloud platform deployments.
Attackers with non-administrative access can exploit it to elevate privileges to a higher privileged group on unpatched servers.
VMware says this flaw can only be exploited by attackers using a vector network adjacent to the targeted server as part of high-complexity attacks requiring low privileges and no user interaction (however, NIST NVD’s CVE-2021-22048 entry says it’s exploitable remotely in low-complexity attacks).
Despite this, VMware has evaluated the bug’s severity as Important, meaning that “exploitation results in the complete compromise of confidentiality and/or integrity of user data and/or processing resources through user assistance or by authenticated attackers.”
Although the company released security updates in July 2022 that only addressed the flaw for servers running the latest available release at the time (vCenter Server 7.0 Update 3f), it retracted the patches 11 days later because they didn’t remediate the vulnerability and caused Secure Token Service (vmware-stsd) crashes while patching.
“VMware has determined that vCenter 7.0u3f updates previously mentioned in the response matrix do not remediate CVE-2021-22048 and introduce a functional issue,” VMware says in the advisory.
Workaround until a patch is released
Even though patches are pending for all affected products, VMware provides a workaround allowing admins to remove the attack vector.
To block attack attempts, VMware advises admins to switch to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from the impacted Integrated Windows Authentication (IWA).
“Active Directory over LDAP authentication is not impacted by this vulnerability. However, VMware strongly recommend that customers plan to move to another authentication method,” the company explains.
“Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction.”
VMware also provides detailed instructions on switching to Active Directory over LDAPs (here and here) and changing to Identity Provider Federation for AD FS.