No patches yet for VMware vCenter vulnerability disclosed last year

VMware has disclosed that it is still working on fixes for a high-severity privilege escalation flaw in the latest version of its vCenter Server, which was initially disclosed last November, BleepingComputer reports. Malicious actors could leverage the vulnerability, tracked as CVE-2021-22048 and identified by CrowdStrike researchers in vCenter Server's Integrated Windows Authentication Mechanism, to elevate privileges should they use a vector network adjacent to the server they are targeting, according to VMware. Such a bug was intended to be fixed by security patches issued in July, which were later retracted due to Secure Token Service crashes during the patching process. Users of vulnerable VMware vCenter Servers have been urged by the firm to use Active Directory over LDAPs authentication, with those using vSphere 7.0 also recommended to use Identity Provider Federation for AD FS. "Active Directory over LDAPs does not understand domain trusts, so customers that switch to this method will have to configure a unique identity source for each of their trusted domains. Identity Provider Federation for AD FS does not have this restriction," said VMware.