VMware vCenter CVE-2022-31697

Published by Christian Mohn · Read in about 3 min (498 words)

VMware has released security advisory VMSA-2022-0030 which includes several vulnerabilities:

CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699

Among these CVE-2022-31697 caught my eye as a potential issue in many environments.

The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.

This means that any workstation in your environment that has run a vCenter Server Install, Upgrade, Migrate og Restore operation probably has plaintext credentials for vCenter lying around on the local disk. As we all know most ransom-/malware scans file systems for credentials before wrecking havoc in an environment, and cleartext credentials like this are easy to automatically find and pick up for later exploitation.

For Windows operating systems, these files are located in %AppData%\Roaming\vcsa-ui-installer.

I have not verified the location of those files on Mac or Linux operating systems yet, and frankly VMware should have disclosed those locations in the CVE or a KB.

Ensure that these files are deleted from all workstations that have been used to upgrade your vSphere environment the last few years.

Info

This also means the plaintext logs might be replicated to file servers and backed up/replicated elsewhere, so now might be a good time to change your administrator@vsphere.local password, even if you are running on a version that has been patched. These log files have been around since at least vCenter 6.5.

The advisory is valid for the following versions:

ProductVersion
vCenter Server7.0
vCenter Server6.7
vCenter Server6.5

Note that vCenter 8.0 is not included.

My Thoughts #

I really wish VMware had been clearer in their recommendations in this advisory. At the very least the location of the files/logs with plaintext passwords should have been disclosed, to make cleanup from older versions easier for admins to search for in their environment. Given the average dwell time for ransomware before actually doing harm, odds are that the passwords in these files are already compromised.

While it is virtually impossible for VMware to clean this up retroactively, detailing proper cleanup procedures for residual files should really be the minimum effort here.

Highlighting the possible need to change passwords should also have been included in the advisory. Simply patching the vCenter instance with a new version does not fix the issue in this case, as the credentials leakage comes from previous versions of the installer. Thus passwords might be stored in log files from older non-patched versions on workstations in your environment, even on workstations no-one remembers running an install from back when the vCenter 6.7 appliance was released in 2018 (and if you haven’t changed the administrator password since then, it’s obviously time to do it now).

In my mind, a KB should have been issued with the CVE, highlighting the locations of the logs in question, the likely need for password rotation and the actual real world ramifications of the issue.

Post last updated on January 2, 2024: Add author

About

vNinja.net is the online hub of Christian Mohn and Stine Elise Larsen.

The site primarily focuses on IT architecture and data center technologies, with a strong emphasis on virtualization and related topics.
While the main content revolves around these areas, you'll also find a range of other subjects covered from time to time, reflecting the interests of authors.

Sponsors