VMware Security Advisory VMSA-2022-0030: A Call to Action for All vSphere Environments

Introduction

VMware has recently released security advisory VMSA-2022-0030, which includes several vulnerabilities affecting vCenter Server. Among these vulnerabilities, CVE-2022-31697 caught my attention as a potential issue in many environments. This vulnerability is an information disclosure vulnerability due to the logging of credentials in plaintext, which can lead to serious consequences if not addressed properly. In this article, I will provide an overview of the vulnerability, its implications, and recommended actions to mitigate the risk.

CVE-2022-31697: Information Disclosure Vulnerability

The vulnerability CVE-2022-31697 is related to the logging of credentials in plaintext during vCenter Server Appliance ISO operations (Install/Upgrade/Migrate/Restore) on Windows operating systems. The logs containing plaintext passwords are stored in %AppData%\Roaming\vcsa-ui-installer. This means that any workstation in your environment that has run a vCenter Server Install, Upgrade, Migrate og Restore operation probably has plaintext credentials for vCenter lying around on the local disk. As we all know, most ransomware and malware scans file systems for credentials before wreaking havoc in an environment, and cleartext credentials like this are easy to automatically find and pick up for later exploitation.

Implications and Risks

The implications of this vulnerability are severe, as it can lead to unauthorized access to vCenter Server and other sensitive information. Attackers can use these plaintext passwords to gain access to your environment, move laterally within your network, and cause significant damage. Moreover, the logs containing plaintext passwords might be replicated to file servers and backed up/replicated elsewhere, which can further expose your environment to risk.

Recommended Actions

To mitigate the risk associated with CVE-2022-31697, I recommend taking the following actions:

1. Ensure that all workstations in your environment have deleted the logs containing plaintext passwords. These files can be found in %AppData%\Roaming\vcsa-ui-installer on Windows operating systems.

2. Change the administrator@vsphere.local password, even if you are running on a version that has been patched. This is essential to ensure that your environment is secure, as the plaintext logs might be replicated to file servers and backed up/replicated elsewhere.

3. Review and update your incident response plan to include procedures for handling residual files from older versions of the installer.

4. Consider implementing a password rotation policy to ensure that all passwords are updated regularly.

5. Ensure that your vSphere environment is patched with the latest version, which includes the necessary fixes for CVE-2022-31697.

Conclusion

In conclusion, CVE-2022-31697 is a critical vulnerability in vCenter Server that can lead to serious consequences if not addressed properly. It is essential to take immediate action to mitigate the risk associated with this vulnerability. By following the recommended actions outlined above, you can ensure that your vSphere environment is secure and protected against potential attacks. I urge all vSphere administrators to take this advisory seriously and take the necessary steps to address this issue promptly.