Virtual Alarm: VMware Issues Major Security AdvisoryVirtual Alarm: VMware Issues Major Security Advisory
VMware vCenter Servers need immediate patch against critical RCE bug as race against threat actors begins.
October 25, 2023
VMware urged customers to update VMware vCenter Servers against a critical flaw that could potentially lead to remote code execution (RCE) and assigned a CVSS severity score of 9.8.
The vCenter Server flaw, tracked under CVE-2023-34048, could allow an attacker with network access the ability to trigger an out-of-bounds write, the VMware advisory explained. Software for "vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol," the vendor added.
The vCenter Server platform is used for managing vSphere installations in hybrid cloud environments.
John Gallagher, vice president with Viakoo Labs, characterized the bug in a statement as "serious as it gets," because it's both dangerous and impacts VMware vCenter Servers, which are widely used across a variety of organizations and industry sectors.
"The reason for it having a severity score of 9.8 is in how it devastates the entire CIA Triad of confidentiality, integrity, and availability," Gallgher explained. "Successful exploit of this CVE gives complete access to the environment, and enables remote code execution for further exploitation."
Another sure sign of the severity is VMware taking the unusual step of offering up patches for old versions, Mayuresh Dani, security research manager at Qualys, explained in a statement.
"The fact that VMware released patches for end of life (EOL) versions that are affected by this vulnerability speaks to how critical it is, since EOL software seldom gets patched," Dani added.
The advisory said patches will be issued for vCenter Server 6.7U3, 6.5U3, and VCF 3.x, as well as vCenter Server 8.0U1.
Second Patch for VMware Cloud Foundation
An additional flaw was reported by VMware in its VMware Cloud Foundation, but this bug, tracked under CVE-2023-34056, has been assigned a less urgent CVSS score of 4.3. The vulnerability could allow an unauthorized user access data, the advisory explained.
Both flaws were responsibly reported by researchers, VMware added in its advisory, however as organizations rush to patch, there will be an inevitable "window of vulnerability" for threat actors to take advantage of unpatched systems, Gallagher added.
"Organizations using vCenter Server should ensure they have a current inventory of its usage, and a plan to patch," Gallagher advised. "Mitigation for this directly appears limited, but using network access control and monitoring might catch lateral movement once a threat actor uses this to gain a foothold."
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK Coverage
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report
Managed Security and the 3rd Party Cyber Risk Opportunity Whitepaper