VMware has warned customers that the latest version of vCenter Server 8.0 is still awaiting a fix for a privilege escalation vulnerability that was discovered in November 2021.
CrowdStrike in the IWA (Integrated Windows Authentication) vCenter Server mechanism found the issue in CVE-2021-22048. It also affects the VMware Cloud Foundation hybrid cloud platform. Attackers with non-administrative access can use this bug to elevate privileges.
Moreover, we wrote that the RCE vulnerability in VMware vCenter has already been used for attacks.
Troy Mursch
Bad Packets specialist Troy Mursch told Bleeping Computer that the attacks recorded by the company’s honeypots used code based on an incomplete exploit published by Vietnamese security researcher Yang.
VMware states that the vulnerability can only be exploited by attackers using a network adjacent to the target server, and the complexity of such an attack would be extremely high, although the vulnerability description in NIST NVD says that the problem can be exploited remotely, and the complexity of such an attack is rated as low.
Initially, the developers released patches for this problem in July 2022, which fixed the vulnerability only for servers with the latest version of vCenter Server 7.0 Update 3f available at that time. Moreover, as a result, the fix was generally withdrawn after 11 days, since it turned out that it did not completely eliminate the bug, and the Secure Token Service (vmware-stsd) crashed during the installation of the update.
While this means there are still no patches, VMware is offering a workaround that will allow administrators to protect themselves from this attack vector. To block attack attempts, VMware recommends switching Active Directory to LDAP authentication or Identity Provider Federation for AD FS (vSphere 7.0 only) with IWA integrated.
