Combining Two Reported Zero-Day Vulnerabilities CVE-2021-22015 and newfound CVE-2022-22948 Could Result in Remote Takeover of Critical ESXi Managed Environments

BOSTON & TEL AVIV, Israel–Pentera, the leader in Automated Security Validation (ASV), today announced its Pentera Labs team discovered two zero-day vulnerabilities. If exploited by threat actors, the critical attack path may result in the ability to disable, disrupt and destroy VMware vCenter managed environments in over 500,000 organizations globally.

The vulnerabilities were reported to VMware by Senior Security Researcher Yuval Lazar and released under CVE-2022-22948 and CVE-2021-22015with a patch. Pentera Labs’ technical review of the vulnerabilities can be found hereDiscovered vulnerabilities require immediate patching to prevent malicious actors from achieving remote access to vCenter and inflicting widespread damage on organizations.

Installed in thousands of organizations worldwide and managing some of their most critical asset and core systems, VMware vCenter Servers are a high-priority target for cybercriminals. Once compromised, the ease and convenience that vCenter offers for managing virtualized hosts in enterprise environments will play into the adversary’s hands, providing centralized access and widespread Impact.

“As part of our daily work, we research the entire enterprise IT attack surfaces, including the exploitability of virtual workload environments such as vCenter and ESXi and discovered zero-day vulnerabilities,” said Alex Spivakovsky, VP of Research at Pentera. “We’re glad to have discovered and immediately disclosed these vulnerabilities to strengthen the defender community and have not seen evidence that malicious actors exploited it at this time.”

Pentera Labs discovered two vulnerabilities in VMWare’s vCenter that, if combined into a single attack vector, would allow malicious actors to take over an organization’s ESXi virtual computing infrastructure.

  • CVE-2021-22015: The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.
  • CVE-2022-22948: The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.

Pentera’s interest in VMWare’s vCenter started because of previously reported vulnerabilities, increasing demand from customers and threats observed in the wild, most notably recent reports of a python ransomware strain targeting ESXi. The team will continue to identify potential vulnerabilities within the platform that could affect businesses globally.

“Security readiness is not determined by a single vulnerability or the security team’s ability to discover and patch it,” said Pentera co-founder and CTO, Dr. Arik Liberzon. “Our award-winning security validation platform autonomously emulates the entire cyberattack kill chain and provides peace of mind for security leaders facing a multitude of internal and external attacks.”

Updates and Mitigations

To remediate CVE-2022-22948, apply the updates listed in VMware’s Advisory site: https://www.vmware.com/security/advisories/VMSA-2022-0009.html. There is no known workaround.

Research Presentations and Additional Resources

For an expert review of the new vulnerabilities and their potential impact, register for the technical review webinar.