Eight months after disclosing a high-severity privilege escalation flaw in vCenter Server's IWA (Integrated Windows Authentication) mechanism, VMware has finally released a patch for one of the affected versions.
This vulnerability (tracked as CVE-2021-22048 and reported by CrowdStrike's Yaron Zinar and Sagi Sheinfeld) also affects VMware's Cloud Foundation hybrid cloud platform deployments.
Successful exploitation enables attackers with non-administrative access to unpatched vCenter Server deployments to elevate privileges to a higher privileged group.
According to VMware, the bug can only be exploited from the same physical or logical network on which the targeted server is located as part of high complexity attacks requiring low privileges and no user interaction (however, NIST NVD's CVE-2021-22048 entry says it's exploitable remotely in low complexity attacks).
Despite this, VMware has evaluated the severity of this bug to be in the Important severity range, which means that "exploitation results in the complete compromise of confidentiality and/or integrity of user data and/or processing resources through user assistance or by authenticated attackers."
While CVE-2021-22048 affects multiple vCenter Server versions (i.e., 6.5, 6.7, and 7.0), the company released vCenter Server 7.0 Update 3f today, a security update that only addresses the vulnerability for servers running the latest available release.
Workaround available
Luckily, alt ..
Support the originator by clicking the read the rest link below.
