VMware has yet to fix CVE-2021-22048 flaw in vCenter Server disclosed one year ago

VMware has yet to address the CVE-2021-22048 privilege escalation vulnerability in vCenter Server disclosed in November 2021.

VMware warns customers that it has yet to address a high-severity privilege escalation vulnerability, tracked as CVE-2021-22048, in the vCenter Server.

The flaw was disclosed in November 2021, it resides in the vCenter Server ‘s IWA (Integrated Windows Authentication) mechanism.

The vulnerability can be exploited by an attacker with non-administrative access to vulnerable vCenter Server deployments to elevate privileges to a higher privileged group.

“The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism.” reads the advisory published by the company. “A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.”

The CVE-2021-22048 flaw was reported by CrowdStrike researchers Yaron Zinar and Sagi Sheinfeld on November 10th, 2021.

In July 2022, VMware addressed the CVE-2021-22048 vulnerability for the latest available release at the time (vCenter Server 7.0 Update 3f). Unfortunately, the security patches released by the company did not fix the issue and caused the crash of the Secure Token Service triggering an exception in postInstallHook.

The security patches were rolled back for the above issue.

“VMware has determined that vCenter 7.0u3f updates previously mentioned in the response matrix do not remediate CVE-2021-22048 and may introduce a functional issue for customers using IWA. Please review KB89027 for more information.” reported the advisory published by the virtualization giant.

At the time, the company provided a workaround for this vulnerability, suggesting switching to AD over LDAPS authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA).

“VMware has investigated and determined that the possibility of exploitation can be removed by performing the steps detailed in the Workaround section of this article.” states the company.

“This workaround requires that the SSO identity source configuration is switched from Integrated Windows Authentication (IWA) to one of the options below.

1)  Active Directory over LDAPs authentication 
2)  Identity Provider Federation for AD FS (vSphere 7.0 or later)”

VMware states that Active Directory over LDAP authentication is not impacted by this issue. However, the company urges customers to move to another authentication method.

“Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction.” concludes the advisory.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-22048)

[adrotate banner=”5″]

[adrotate banner=”13″]