A high severity vulnerability discovered nearly a year ago in VMware vCenter Server 8.0 has yet to be patched (opens in a new tab), the company confirmed.
The flaw, identified as CVE-2021-22048, is described as an elevation of privilege vulnerability and allows non-administrator users to elevate their privileges on unpatched servers. It was discovered in November 2021 in vCenter Server's Integrated Windows Authentication (IWA) mechanism.
Threat actors who successfully exploit the flaw can "completely compromise the confidentiality and/or integrity of user data and/or processing resources through user support or by authenticated attackers," it said, declared at the time.
Alternative solutions available
The solution is still pending, but not for lack of trying. VMware released a security update in July of this year, which attempted to fix the flaw on servers running the most recent version (ie vCenter Server 7.0 Update 3f, according to BleepingComputer).
However, the company was forced to pull the patch less than a fortnight later, as it did not fix the issue and also caused the secure token service (vmware-stsd) to fail during the patch.
"VMware has determined that the vCenter 7.0u3f updates mentioned above in the response matrix do not fix CVE-2021-22048 and introduce a functional issue," VMware said in its security advisory at the time.
Until a fix is available, IT administrators running the affected systems are encouraged to implement a fix, moving from IWA to Active Directory via LDAP authentication OR Identity Provider Federation for AD FS (vSphere 7.0) .
"Active Directory authentication over LDAP is not affected by this vulnerability," the company said. "However, VMware strongly recommends that customers plan to switch to an alternative authentication method."
Additionally, "Active Directory over LDAP does not understand domain trusts, so customers switching to this method will need to configure a unique source of identity for each of their trusted domains," VMware explained. "Identity Provider Federation for AD FS does not have this restriction."
Via BleepingComputer (Opens in a new tab)