Security Experts:

VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations

VMware on Tuesday announced the availability of patches for a vCenter Server vulnerability that could facilitate attacks against many organizations.

The vulnerability, tracked as CVE-2022-22948, is described as an information disclosure issue caused by improper file permissions. The flaw was reported to the virtualization giant by Pentera, a company that helps organizations reduce their cyber exposure.

Pentera on Tuesday disclosed the details of the security hole, warning that while CVE-2022-22948 may not seem very dangerous — it has been assigned a “moderate severity” rating — it can be chained with other vulnerabilities for a complete server takeover.

For example, an attacker can obtain initial access to an endpoint hosting a vCenter Server client by exploiting CVE-2021-21972, a flaw that has been used by malicious actors since at least the spring of 2021. Once they have gained initial access, attackers can exploit the newly disclosed vulnerability to extract sensitive information.

Specifically, a hacker can exploit CVE-2022-22948 to obtain the credentials for a high-privilege account that can be used to take complete control of the server.

The exploit chain described by the cybersecurity firm also involves CVE-2021-22015, a privilege escalation flaw that is needed to decrypt the password for the aforementioned high-privilege account. CVE-2021-22015 is a high-severity issue that was reported to VMware last year.

“In the full attack vector, threat actors can completely take over an organization’s ESXi’s deployed in a hybrid infrastructure and virtual machines hosted and managed by the hypervisor from just endpoint access to a host with a vCenter client,” Pentera explained.

The company noted that VMware has 500,000 customers, which makes these types of vulnerabilities very valuable to threat actors.

It’s not uncommon for hackers to leverage VMware product security flaws in their attacks, and in many cases exploitation starts just days after the vendor has released a patch. This is why it’s important that organizations apply patches as soon as possible.

Related: Attackers Hitting VMWare Horizon Servers With Log4j Exploits

Related: VMware Patches Vulnerabilities Disclosed at Chinese Hacking Contest

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.