A high-severity vulnerability discovered almost a year ago in VMware vCenter Server 8.0 has not yet been patched (opens in new tab), the company has confirmed.
The flaw, tracked as CVE-2021-22048, is described as a privilege escalation vulnerability, and allows non-admin users to elevate their privileges on unpatched servers. It was discovered in November 2021 in vCenter Server’s Integrated Windows Authentication mechanism (IWA).
Threat actors that successfully exploit the flaw can “completely compromise the confidentiality and/or integrity of user data and/or processing resources through user assistance, or by authenticated attackers”, it was said at the time.
Workarounds available
The patch is still pending, but not for a lack of trying. VMware actually issued a security update in July this year, which tried to address the flaw for servers running the most up-to-date release (which was vCenter Server 7.0 Update 3f, according to BleepingComputer).
However, the company was forced to pull the patch less than a fortnight later because it didn’t fix the issue, and also caused Secure Token Service (vmware-stsd) to crash during the patch.
“VMware has determined that vCenter 7.0u3f updates previously mentioned in the response matrix do not remediate CVE-2021-22048 and introduce a functional issue,” VMware said at the time, in its security advisory.
Until the patch is made available, IT admins running affected systems are advised to deploy a workaround, by switching from IWA to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS (vSphere 7.0).
“Active Directory over LDAP authentication is not impacted by this vulnerability,” the company said. “However, VMware strongly recommends that customers plan to move to another authentication method.”
Furthermore, “Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains,” VMware explained. “Identity Provider Federation for AD FS does not have this restriction.”
Via BleepingComputer (opens in new tab)
