Home > Cyber News > CVE-2021-22048: Patch Available for VMware Server Flaw

CVE-2021-22048: Patch Available for VMware Server Flaw

CVE-2021-22048: Patch Available for VMware Server Flaw

CVE-2021-22048 is a high-severity privilege escalation vulnerability in the VMware vCenter Server IWA mechanism, which also affects the Cloud Foundation hybrid platform. Eight months after the vulnerability was disclosed, the company released a patch for one of the affected versions.

According to the original CVE description, the vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. In terms of how the vulnerability can be exploited, a threat actor with non-administrative access to vCenter Server could leverage the loophole to elevate privileges to a higher privileged group.

Partial Fix Available for CVE-2021-22048

CVE-2021-22048 affects several vCenter Server versions, but an update has been released only for vCenter Server 7.0 Update 3f. In other words, the fix is available only for servers running the latest release (more information about the release).

When the vulnerability was reported first, the company came up with a workaround which involved the switching of SSO identity source configuration from IWA to one of the following options:

  • Active Directory over LDAPs authentication;
  • Identity Provider Federation for AD FS (vSphere 7.0 only).

CVE-2021-22005 is an example of another dangerous vCenter vulnerability. The severe status of the vulnerability was based on the fact that anyone who could reach vCenter Server over the network to gain access could abuse the issue, regardless of the configuration settings of vCenter Server. This also included ransomware threat actors, security researchers pointed out.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree