VMware urged customers to update VMware vCenter Servers against a critical flaw that could potentially lead to remote code execution (RCE) and assigned a CVSS severity score of 9.8.
The vCenter Server flaw, tracked under CVE-2023-34048, could allow an attacker with network access the ability to trigger an out-of-bounds write, the VMware advisory explained. Software for “vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol,” the vendor added.
The vCenter Server platform is used for managing vSphere installations in hybrid cloud environments.
John Gallagher, vice president with Viakoo Labs, characterized the bug in a statement as “serious as it gets,” because it’s both dangerous and impacts VMware vCenter Servers, which are widely used across a variety of organizations and industry sectors.
“The reason for it having a severity score of 9.8 is in how it devastates the entire CIA Triad of confidentiality, integrity, and availability,” Gallgher explained. “Successful exploit of this CVE gives complete access to the environment, and enables remote code execution for further exploitation.”
Another sure sign of the severity is VMware taking the unusual step of offering up patches for old versions, Mayuresh Dani, security research manager at Qualys, explained in a statement.
“The fact that VMware released patches for end of life (EOL) versions that are affected by this vulnerability speaks to how critical it is, since EOL software seldom gets patched,” Dani added.
The advisory said patches will be issued for vCenter Server 6.7U3, 6.5U3, and VCF 3.x, as well as vCenter Server 8.0U1.
Second Patch for VMware Cloud Foundation
An additional flaw was reported by VMware in its VMware Cloud Foundation, but this bug, tracked under CVE-2023-34056, has been assigned a less urgent CVSS score of 4.3. The vulnerability could allow an unauthorized user access data, the advisory explained.
Both flaws were responsibly reported by researchers, VMware added in its advisory, however as organizations rush to patch, there will be an inevitable “window of vulnerability” for threat actors to take advantage of unpatched systems, Gallagher added.
“Organizations using vCenter Server should ensure they have a current inventory of its usage, and a plan to patch,” Gallagher advised. “Mitigation for this directly appears limited, but using network access control and monitoring might catch lateral movement once a threat actor uses this to gain a foothold.”