VMSA-2021-0025.2 - VMware vCenter Server updates address a privilege escalation vulnerability (CVE-2021-22048)


Userlevel 7
Badge +9

VMware vCenter Server is advanced server management software that provides a centralised platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud with confidence.

This privilege escalation vulnerability in VMware Center Server was reported to VMware by  Yaron Zinar and Sagi Sheinfeld of Crowdstrike for reporting.

Present Issue

The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. 

Impacted Products

The following products are impacted. Workarounds are available to remediate this vulnerability in the affected VMware products.

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation).

Known Attack Vectors

A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.

Note: There is currently no solution (resolution) for this issue at the moment. But there is currently a workaround which has been addressed in this guide.

Impact / Risks

Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction. Here is the original blogpost.

Workarounds

Workaround for CVE-2021-22048 is to switch to AD over LDAPS authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA) as documented in the KB listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

 

Active Directory over LDAP authentication is not impacted by this vulnerability. However, VMware strongly recommends that customers plan to move to another authentication method, The VMware blog posted here has more details on this. 

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server 7.0 Any CVE-2021-22048 7.1 Important  7.0 U3f KB86292 None
vCenter Server 6.7 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None
vCenter Server 6.5 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None

VMware Cloud Foundation provides a ubiquitous hybrid cloud platform for both traditional enterprise and modern applications. Based on a proven and comprehensive software-defined stack including VMware vSphere with VMware Tanzu, VMware vSAN, VMware NSX-T Data Center, and VMware vRealize Suite. VMware Cloud Foundation provides a complete set of software-defined services for compute, storage, network, container, and cloud management. The result is an agile, reliable, efficient cloud infrastructure that offers consistent operations across private and public clouds.

Impacted Product Suites that Deploy Response Matrix Components

Below is a response matrix addressing the Cloud Foundation Vulnerability.

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server) 4.x Any CVE-2021-22048 7.1 Important  Patch pending KB86292 None
Cloud Foundation (vCenter Server) 3.x Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None

4 comments

Userlevel 7
Badge +20

VMware vCenter Server is advanced server management software that provides a centralised platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud with confidence.

This privilege escalation vulnerability in VMware Center Server was reported to VMware by  Yaron Zinar and Sagi Sheinfeld of Crowdstrike for reporting.

Present Issue

The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. 

Impacted Products

The following products are impacted. Workarounds are available to remediate this vulnerability in the affected VMware products.

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation).

Known Attack Vectors

A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.

Note: There is currently no solution (resolution) for this issue at the moment. But there is currently a workaround which has been addressed in this guide.

Impact / Risks

Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction. Here is the original blogpost.

Workarounds

Workaround for CVE-2021-22048 is to switch to AD over LDAPS authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA) as documented in the KB listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

 

Active Directory over LDAP authentication is not impacted by this vulnerability. However, VMware strongly recommends that customers plan to move to another authentication method, The VMware blog posted here has more details on this. 

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server 7.0 Any CVE-2021-22048 7.1 Important  7.0 U3f KB86292 None
vCenter Server 6.7 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None
vCenter Server 6.5 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None

VMware Cloud Foundation provides a ubiquitous hybrid cloud platform for both traditional enterprise and modern applications. Based on a proven and comprehensive software-defined stack including VMware vSphere with VMware Tanzu, VMware vSAN, VMware NSX-T Data Center, and VMware vRealize Suite. VMware Cloud Foundation provides a complete set of software-defined services for compute, storage, network, container, and cloud management. The result is an agile, reliable, efficient cloud infrastructure that offers consistent operations across private and public clouds.

Impacted Product Suites that Deploy Response Matrix Components

Below is a response matrix addressing the Cloud Foundation Vulnerability.

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server) 4.x Any CVE-2021-22048 7.1 Important  Patch pending KB86292 None
Cloud Foundation (vCenter Server) 3.x Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None

 

Saw this notice recently. Thanks for posting it.

Userlevel 7
Badge +9

VMware vCenter Server is advanced server management software that provides a centralised platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud with confidence.

This privilege escalation vulnerability in VMware Center Server was reported to VMware by  Yaron Zinar and Sagi Sheinfeld of Crowdstrike for reporting.

Present Issue

The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. 

Impacted Products

The following products are impacted. Workarounds are available to remediate this vulnerability in the affected VMware products.

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation).

Known Attack Vectors

A malicious actor with non-administrative access to vCenter Server may exploit this issue to elevate privileges to a higher privileged group.

Note: There is currently no solution (resolution) for this issue at the moment. But there is currently a workaround which has been addressed in this guide.

Impact / Risks

Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction. Here is the original blogpost.

Workarounds

Workaround for CVE-2021-22048 is to switch to AD over LDAPS authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from Integrated Windows Authentication (IWA) as documented in the KB listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

 

Active Directory over LDAP authentication is not impacted by this vulnerability. However, VMware strongly recommends that customers plan to move to another authentication method, The VMware blog posted here has more details on this. 

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server 7.0 Any CVE-2021-22048 7.1 Important  7.0 U3f KB86292 None
vCenter Server 6.7 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None
vCenter Server 6.5 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None

VMware Cloud Foundation provides a ubiquitous hybrid cloud platform for both traditional enterprise and modern applications. Based on a proven and comprehensive software-defined stack including VMware vSphere with VMware Tanzu, VMware vSAN, VMware NSX-T Data Center, and VMware vRealize Suite. VMware Cloud Foundation provides a complete set of software-defined services for compute, storage, network, container, and cloud management. The result is an agile, reliable, efficient cloud infrastructure that offers consistent operations across private and public clouds.

Impacted Product Suites that Deploy Response Matrix Components

Below is a response matrix addressing the Cloud Foundation Vulnerability.

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server) 4.x Any CVE-2021-22048 7.1 Important  Patch pending KB86292 None
Cloud Foundation (vCenter Server) 3.x Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None

 

Saw this notice recently. Thanks for posting it.

You are welcome!

Userlevel 7
Badge +12

Just came across this and I think the KB article from VMware is a bit confusing.

Is this a new issue or has this been posted/open since 2021?

Also be aware that Update U3f didn’t solve this issue, but causes problems because of integrated Windows Authentication. If you’re using that, then don’t upgrade and go for U3g (still no remidiation for this iusse).

 

 

Userlevel 7
Badge +20

Just came across this and I think the KB article from VMware is a bit confusing.

Is this a new issue or has this been posted/open since 2021?

Also be aware that Update U3f didn’t solve this issue, but causes problems because of integrated Windows Authentication. If you’re using that, then don’t upgrade and go for U3g (still no remidiation for this iusse).

 

 

Yeah I went to U3F so need to get to G update today. Never ending updates. 😂

Comment