CVE-2021-22048 is a high-severity privilege escalation vulnerability in the VMware vCenter Server IWA mechanism, which also affects the Cloud Foundation hybrid platform. Eight months after the vulnerability was disclosed, the company released a patch for one of the affected versions.
According to the original CVE description, the vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. In terms of how the vulnerability can be exploited, a threat actor with non-administrative access to vCenter Server could leverage the loophole to elevate privileges to a higher privileged group.
Partial Fix Available for CVE-2021-22048
CVE-2021-22048 affects several vCenter Server versions, but an update has been released only for vCenter Server 7.0 Update 3f. In other words, the fix is available only for servers running the latest release (more information about the release).
When the vulnerability was reported first, the company came up with a workaround which involved the switching of SSO identity source configuration from IWA to one of the following options:
- Active Directory over LDAPs authentication;
- Identity Provider Federation for AD FS (vSphere 7.0 only).
CVE-2021-22005 is an example of another dangerous vCenter vulnerability. The severe status of the vulnerability was based on the fact that anyone who could reach vCenter Server over the network to gain access could abuse the issue, regardless of the configuration settings of vCenter Server. This also included ransomware threat actors, security researchers pointed out.