Eight months after disclosing a high-severity privilege escalation flaw in vCenter Server’s IWA (Integrated Windows Authentication) mechanism, VMware has finally released a patch for one of the affected versions.
This vulnerability (tracked as CVE-2021-22048 and reported by CrowdStrike’s Yaron Zinar and Sagi Sheinfeld) also affects VMware’s Cloud Foundation hybrid cloud platform deployments.
Successful exploitation enables attackers with non-administrative access to unpatched vCenter Server deployments to elevate privileges to a higher privileged group.
According to VMware, the bug can only be exploited from the same physical or logical network on which the targeted server is located as part of high complexity attacks requiring low privileges and no user interaction (however, NIST NVD’s CVE-2021-22048 entry says it’s exploitable remotely in low complexity attacks).
Despite this, VMware has evaluated the severity of this bug to be in the Important severity range, which means that “exploitation results in the complete compromise of confidentiality and/or integrity of user data and/or processing resources through user assistance or by authenticated attackers.”
While CVE-2021-22048 affects multiple vCenter Server versions (i.e., 6.5, 6.7, and 7.0), the company released vCenter Server 7.0 Update 3f today, a security update that only addresses the vulnerability for servers running the latest available release.
Workaround available
Luckily, although patches are pending for the other affected versions, VMware has provided a workaround to remove the attack vector since the security advisory was first published eight months ago, on November 10th, 2021.
To block attack attempts, VMware advises admins in a separate knowledgebase article to switch to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from the affected Integrated Windows Authentication (IWA).
“Active Directory over LDAP authentication is not impacted by this vulnerability. However, VMware strongly recommend that customers plan to move to another authentication method,” the company said.
“Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction.”
VMware provides detailed instructions on switching to Active Directory over LDAPs (here and here) and on switching to Identity Provider Federation for AD FS.
