The high-severity VMware bug is still unmet, but it's only one year later

The high-severity VMware bug is still unmet, but it's only one year later ...

The company has confirmed that a high-severity vulnerability discovered in VMware vCenter Server 8.0 a year ago has not been detected.

The flaw, identified as CVE-2021-22048, is a privilege escalation vulnerability, which allows non-admin users to increase their privileges on unpatched servers. It was discovered in November 2021 in the Integrated Windows Authentication Mechanism (IWA)

At the time, threats that successfully exploit the flaw were said to be capable of compromising the confidentiality and/or integrity of user data and/or processing resources unless it was used by user assistance or authenticated attackers.

Workarounds available

According to BleepingComputer, the patch is still pending, but it is not for a lack of effort. VMware issued a security update in July this year, which tried to rectify the flaw for servers that were the most up-to-date versions (vCenter Server 7.0 Update 3f).

The company was forced to pull the patch less than a fortnight later because it didn''t fix the issue, and also caused Secure Token Service (vmware-stsd) to crash during the patch.

"VMware has determined that the vCenter 7.0u3f updates previously discussed in the response matrix do not remediate CVE-2021-22048 and pose a functional obstacle," VMware said during the security advisory.

IT admins operating affected systems should implement a workaround, by switching from IWA to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS (vSphere 7.0).

According to VMware, the vulnerability has not affected Active Directory''s LDAP authentication. However, customers should refer to another authentication method.

According to VMware, "Active Directory over LDAPs does not understand domain trusts, therefore customers that switch to this method will have to create a unique identity source for each of their trusted domains. "The AD FS Federation does not have this requirement."

Via BleepingComputer (opens in a new tab)