Get patching! Old vCenter vulnerability actively abused
CISA has added a two-year-old vulnerability in vCenter to its catalog of known exploited vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has added a two-year-old vCenter vulnerability to its catalog of Known Exploited Vulnerabilities. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by August 7, 2024 to protect their networks against active threats.
VMWare vCenter Server is server management software that provides a centralized platform for controlling VMware vSphere environments, enabling the management of virtual machines and ESXi hosts.
vCenter is installed in many thousands of organizations worldwide and used to manage some of their most critical assets and core systems. This makes it a valuable target for ransomware peddlers and other cybercriminals.
VMWare itself touts a very large user-base, saying it’s âdeployed by 100 percent of Fortune 500 and 100 percent of Fortune Global 100 companies, VMware vSphere is the most trusted platform for virtualization, underpinning cloud initiatives.â
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE assigned to the vulnerability at hand is:
CVE-2022-22948 (CVSS score 5.5 out of 10): the vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.
The vulnerability can be used in an attack chain that leads to a complete takeover. A successful attacker can take over the host where the vCenter application is running, and all of its ESXi servers deployed in a hybrid infrastructure and virtual machines hosted and managed by the hypervisor.
Last year researchers linked an attack chain on compromised hypervisors to a Chinese espionage group. In that attack chain, systems vulnerable to this flaw saved the attacker a lot of work, because they do not need root access to decrypt the password for a default user account.
A patch for the vulnerability has been available since May 16, 2022.
There are no workarounds, so the only way to remediate CVE-2022-22948 is to apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found in the VMWare Security Advisory about CVE-2022-22948.
We donât just report on vulnerabilitiesâwe identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.
