VMware vCenter Server updates address a privilege escalation vulnerability


Userlevel 7
Badge +9

VMware vCenter Server is advanced server management software that provides a centralized platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud with confidence. With VMware Center, you gain centralized visibility, simplified and efficient management at scale, and extensibility across the hybrid cloud from a single console. Here is the link to my blogpost.

 

The following vulnerability was reported by Yaron Zinar and Sagi Sheinfeld of Crowdstrike to Vmware. The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

 

Impacted Products

  • VMware vCenter Server (vCenter Server)
  • VMware Cloud Foundation (Cloud Foundation)

What Exploit does this Vulnerability Present?

 

A malicious actor with non-administrative access to the vCenter Server may exploit this issue to elevate privileges to a higher privileged group.

 

Workarounds

 

There are currently no updates (patches) to mitigate this vulnerability. But here is the workaround for CVE-2021-22048 is to switch to AD over LDAPS authentication OR Identity Provider Federation for AD FS (vSphere 7.0 or later) from Integrated Windows Authentication (IWA) as documented in the KB listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

 

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server 8.0 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None
vCenter Server 7.0 Any CVE-2021-22048 7.1 Important  Patch Pending [1] KB86292 KB89027 [1]
vCenter Server 6.7 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None
vCenter Server 6.5 Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None

 

Impacted Product Suites that Deploy Response Matrix Components:

 

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Cloud Foundation (vCenter Server) 4.x Any CVE-2021-22048 7.1 Important  Patch pending KB86292 None
Cloud Foundation (vCenter Server) 3.x Any CVE-2021-22048 7.1 Important  Patch Pending KB86292 None

 

Note: VMware has determined that vCenter 7.0u3f updates previously mentioned in the response matrix do not remediate CVE-2021-22048 and may introduce a functional issue for customers using IWA. Please review KB89027 for more information.


2 comments

Userlevel 7
Badge +20

Thanks for sharing.  These always help for those using VMware.

Userlevel 7
Badge +9

Thanks for sharing.  These always help for those using VMware.

I agree, Cheers!

Comment