VMware vCenter - CVE-2021-22048

this flaw of 2021 remains unpatched!

VMware informs its users that a security flaw discovered in November 2021 within vCenter Server present in the IWA (Integrated Windows Authentication) authentication mechanism is still awaiting a fix.

By exploiting this vulnerability associated with the reference CVE-2021-22048 (CVSSv3 score of 7.1 out of 10), an attacker without administrative rights on a VMware vCenter server can elevate their privileges by gaining the rights of a group with more privileges. In the VMware Security Bulletinwe can read : “The vCenter server contains an elevation of privilege vulnerability in the Integrated Windows Authentication (IWA) authentication mechanism”. In fact, it allows to authenticate from its Windows credentials.

Reported to VMware on November 10, 2021 by Yaron Zinar and Sagi Sheinfeld of CrowdStrike, this vulnerability received a security patch in July 2022, especially for servers with version vCenter Server 7.0 Update 3f (latest version available at this date). Nevertheless, 11 days later, VMware removed the patch because it did not properly fix the vulnerability and it was causing problems with the Secure Token Service. VMware specifies: “VMware has determined that the vCenter 7.0u3f updates mentioned earlier in the response matrix do not fix CVE-2021-22048 and introduce a functional issue.

At the moment, there is still no patch for this security flaw. In the meantime, VMware still offers a temporary solution to its users. The American company recommends that administrators switch to Active Directory authentication or to the mode Identity Provider Federation for AD FS (only for vSphere 7.0), instead of the IWA method.

There is documentation available on the VMware site to guide you:

This security flaw affects VMware vCenter Server 6.5, 6.7, 7.0 and the latest version: 8.0. In addition, the Cloud Foundation version is also impacted.


Logiciel – OS,Sécurité,VMware,

#flaw #remains #unpatched

Leave a Comment

Your email address will not be published. Required fields are marked *