- A privilege escalation vulnerability found in the vCenter Server’s IWA is affecting VMware’s Cloud Foundation hybrid cloud platform deployments.
- VMware says that the vulnerability can only be exploited by attackers using a vector network adjacent to the targeted server.
- VMware released a patch in July but retracted it 11 days later because it didn’t solve the problem.
VMware updated a security advisory regarding a high-severity privilege escalation vulnerability disclosed in November 2021. The vulnerability was reported by Yaron Zinar and Sagi Sheinfeld from CrowdStrike. The privilege escalation vulnerability, tracked as CVE-2021-22048, was found in the vCenter Server’s IWA and it affects VMware’s Cloud Foundation hybrid cloud platform deployments.
Not patched
Although VMware’s advisory says that the vulnerability can only be exploited by attackers using a vector network adjacent to the targeted server as part of a high-complexity attack that requires low privileges and no user interaction. On the other hand, according to NIST NVD’s entry, the vulnerability is exploitable remotely with low-complexity attacks.
The last 2 entries on the advisory says,
« 2022-07-23 VMSA-2021-0025.3 VMware has determined that vCenter 7.0u3f updates previously mentioned in the response matrix do not remediate CVE-2021-22048 and introduce a functional issue. »
In July, VMware released a patch addressing the flaw, however, it was retracted 11 days later because it didn’t remediate the vulnerability and also caused Secure Token Service crashes during the patching process.
« 2022-10-11 VMSA-2021-0025.4 Added vCenter Server 8.0 in the Response Matrix. »
The vulnerability still exists in vCenter Server 8.0, which is the latest version. However, VMware also provided a workaround. Users can switch to AD over LDAPS authentication or Identity Provider Federation for AD FS (vSphere 7.0 or later) from Integrated Windows Authentication.