VMware Security Advisory VMSA-2022-0030: A Call to Action for vSphere Environments
On February 16th, 2022, VMware released security advisory VMSA-2022-0030, which includes several vulnerabilities affecting vCenter Server and vSphere environments. Among these vulnerabilities, CVE-2022-31697 caught our attention as a potential issue in many environments. The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext, which can lead to serious consequences if not addressed promptly.
The vulnerability arises from the fact that when a workstation invokes a vCenter Server Appliance ISO operation (Install/Upgrade/Migrate/Restore), plaintext passwords used during that operation are logged on the local disk. This means that any workstation in your environment that has run a vCenter Server Install, Upgrade, Migrate or Restore operation probably has plaintext credentials for vCenter lying around on the local disk. These files are located in %AppData%\Roaming\vcsa-ui-installer on Windows operating systems, and we have not verified the location of those files on Mac or Linux operating systems yet.
The issue with plaintext credentials is that they can be easily found and picked up for later exploitation by malicious actors, especially ransomware and other types of malware that scan file systems for credentials before wreaking havoc in an environment. Therefore, it is essential to ensure that these files are deleted from all workstations that have been used to upgrade your vSphere environment the last few years.
Moreover, the plaintext logs might be replicated to file servers and backed up/replicated elsewhere, so now might be a good time to change your administrator@vsphere.local password, even if you are running on a version that has been patched. These log files have been around since at least vCenter 6.5, so it is crucial to address this issue promptly to prevent any potential security breaches.
The advisory is valid for the following versions: vCenter 6.5, 6.7, and 7.0. However, vCenter 8.0 is not included, which we find disappointing and confusing. VMware should have been clearer in their recommendations in this advisory, especially regarding the location of the files/logs with plaintext passwords and proper cleanup procedures for residual files.
In light of this vulnerability, it is essential to take immediate action to protect your vSphere environment. We recommend the following steps:
1. Check all workstations in your environment that have been used to upgrade or install vCenter Server Appliance ISO operations the last few years. Ensure that you delete the plaintext credentials files located in %AppData%\Roaming\vcsa-ui-installer on Windows operating systems.
2. Change your administrator@vsphere.local password, even if you are running on a version that has been patched. This is a good opportunity to update your passwords and ensure that they are strong and unique.
3. Review the advisory for additional recommendations and take note of the affected versions.
4. Keep an eye on your environment for any suspicious activity or changes, and be prepared to act quickly if you suspect a security breach.
In conclusion, VMware Security Advisory VMSA-2022-0030 highlights a critical vulnerability in vCenter Server that can lead to serious consequences if not addressed promptly. We recommend taking immediate action to protect your vSphere environment by deleting plaintext credentials files, changing passwords, and reviewing the advisory for additional recommendations. Remember, it is virtually impossible for VMware to clean this up retroactively, so proper cleanup procedures for residual files should be the minimum effort here. We hope that VMware will issue a KB with the CVE, highlighting the locations of the logs in question, the likely need for password rotation, and the actual real-world ramifications of the issue to help admins address this vulnerability effectively.