VMware has released security advisory VMSA-2022-0030 which includes several vulnerabilities:
CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699
Among these CVE-2022-31697 caught my eye as a potential issue in many environments.
The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. A malicious actor with access to a workstation that invoked a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore) can access plaintext passwords used during that operation.
This means that any workstation in your environment that has run a vCenter Server Install, Upgrade, Migrate og Restore operation probably has plaintext credentials for vCenter lying around on the local disk. As we all know most ransom-/malware scans file systems for credentials before wrecking havoc in an environment, and cleartext credentials like this are easy to automatically find and pick up for later exploitation.
For Windows operating systems, these files are located in %AppData%\Roaming\vcsa-ui-installer.
I have not verified the location of those files on Mac or Linux operating systems yet, and frankly VMware should have disclosed those locations in the CVE or a KB.
Ensure that these files are deleted from all workstations that have been used to upgrade your vSphere environment the last few years.
This also means the plaintext logs might be replicated to file servers and backed up/replicated elsewhere, so now might be a good time to change your email@example.com password, even if you are running on a version that has been patched. These log files have been around since at least vCenter 6.5.
The advisory is valid for the following versions:
Note that vCenter 8.0 is not included.
My Thoughts #
I really wish VMware had been clearer in their recommendations in this advisory. At the very least the location of the files/logs with plaintext passwords should have been disclosed, to make cleanup from older versions easier for admins to search for in their environment. Given the average dwell time for ransomware before actually doing harm, odds are that the passwords in these files are already compromised.
While it is virtually impossible for VMware to clean this up retroactively, detailing proper cleanup procedures for residual files should really be the minimum effort here.
Highlighting the possible need to change passwords should also have been included in the advisory. Simply patching the vCenter instance with a new version does not fix the issue in this case, as the credentials leakage comes from previous versions of the installer. Thus passwords might be stored in log files from older non-patched versions on workstations in your environment, even on workstations no-one remembers running an install from back when the vCenter 6.7 appliance was released in 2018 (and if you haven’t changed the administrator password since then, it’s obviously time to do it now).
In my mind, a KB should have been issued with the CVE, highlighting the locations of the logs in question, the likely need for password rotation and the actual real world ramifications of the issue.
- Expired VMware vCenter certificates —
- Upgrading to vCenter 8 Update 1: Invalid Type, expected String, instead got NoneType —
- ESXi5.5 to 6.0 Upgrade From Local HTTP Daemon —
- Automatically Name Datastores in vSphere? —
- Can you combine vSphere Host Cache and vFlash on a single SSD? —