Critical Privilege Escalation Bug in vCenter - No Patch yet

Critical privilege escalation vulnerability in the vCenter Server.

VMware security team has released a security advisory that briefly describes a privilege escalation vulnerability in the vCenter Server. This vulnerability in vCenter is tracked as CVE-2021-22048 having the Common Vulnerability Scoring System (CVSS) as a score of 7.1/10.  

According to the brief description of the bug, the bug was discovered by Yaron Zinar and Sagi Sheinfeld security researcher of Crowdstrike. With this bug, the threat actors with non-administrative access to vCenter Server could exploit the vulnerability to escalate their privileges to a group with greater access to critical areas in the system. This flaw resides in vCenter Server v6.7 and v7.0, in addition to affecting Cloud Foundation 3.x and 4.x.

Currently, there is no fix available for this bug, but VMware recommends mitigating the risk of exploitation is the change to AD over LDAPS authentication, from Integrated Authentication with Windows; at the moment the presence of other functional alternative solutions is unknown.

Till yet there is no such evidence or any statement from the vendor that the bug is been exploited in wild. But still, this will be a critical issue as there are multiple hacking groups dedicated to exploiting vulnerabilities in the vCenter Server, so it is important for administrators of these deployments to stay on top of any new security risks related to these vulnerabilities.