Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] Critical Security Fix for VMware vCenter

Executive Summary

VMware has released security updates to address a critical vulnerability in the vCenter Server. This vulnerability could potentially allow remote code execution on compromised systems.

The vulnerability, identified as CVE-2023-34048 with a CVSS score of 9.8, is defined as an out-of-bounds write vulnerability in the DCE/RPC protocol implementation.

Additionally, a secondary vulnerability, CVE-2023-34056 (CVSS score: 4.3), was addressed that involves partial information disclosure.

VMware urges users to apply the patches swiftly to mitigate potential threats.

About the Vulnerabilities

The critical flaw, tracked as CVE-2023-34048, with a CVSS score of 9.8, is an out-of-bounds write vulnerability within the implementation of the DCE/RPC protocol. According to the advisory from VMware, a malicious actor with network access to the vCenter Server can trigger this vulnerability, potentially leading to remote code execution.

This critical flaw was discovered and reported by Grigory Dorodnov of Trend Micro Zero Day Initiative.

The other vulnerability fixed, CVE-2023-34056 (CVSS score: 4.3), is a partial information disclosure vulnerability in the vCenter Server. It could allow a malicious actor with non-administrative privileges to access unauthorised data.

VMware is not aware of any in-the-wild exploitations of these vulnerabilities,

VMware’s Response

VMware strongly recommends users to promptly apply the patches to avert potential threats. Detailed information regarding the security fix for both vulnerabilities can be found in VMware’s security advisory.

Here is a table that lists the vulnerabilities and their corresponding fixed versions for each affected product provided in the advisory:

Please note that VMware is also developing a patch for vCenter Server versions 6.7U3, 6.5U3, and VCF 3.x since the fix addresses a critical vulnerability and there are no workarounds.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.