VMware issued information updates to hole a captious vCenter Server vulnerability that tin beryllium exploited to gain remote codification execution attacks connected susceptible servers.
vCenter Server is nan cardinal guidance hub for VMware's vSphere suite, and it helps administrators negociate and show virtualized infrastructure.
The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro's Zero Day Initiative and is owed to an out-of-bounds write weakness successful vCenter's DCE/RPC protocol implementation.
Unauthenticated attackers tin utilization it remotely successful low-complexity attacks that don't require personification interaction. The institution says it has nary grounds that nan CVE-2023-34048 RCE bug is presently utilized successful attacks.
Security patches addressing this rumor are now accessible done nan modular vCenter Server update mechanisms. Due to nan captious quality of this bug, VMware has besides issued patches for aggregate end-of-life products that are nary longer nether progressive support.
"While VMware does not mention end-of-life products successful VMware Security Advisories, owed to nan captious severity of this vulnerability and deficiency of workaround VMware has made a spot mostly disposable for vCenter Server 6.7U3, 6.5U3, and VCF 3.x," nan institution said.
"For nan aforesaid reasons, VMware has made further patches disposable for vCenter Server 8.0U1. Async vCenter Server patches for VCF 5.x and 4.x deployments person been made available."
No workaround available
Because a workaround is unavailable, VMware urges admins to strictly power web perimeter entree to vSphere guidance components and interfaces, including retention and web components.
The circumstantial web ports linked to imaginable exploitation successful attacks targeting this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp.
The institution besides patched a partial accusation disclosure vulnerability pinch a 4.3/10 severity CVSS guidelines people tracked arsenic CVE-2023-34056 that whitethorn beryllium leveraged by threat actors pinch non-administrative privileges to vCenter servers to entree delicate data.
"This would beryllium considered an emergency change, and your statement should see acting quickly," VMware said successful a abstracted FAQ document.
"However, each information consequence depends connected context. Please consult pinch your organization's accusation information unit to find nan correct people of action for your organization."
In June, VMware patched multiple high-severity vCenter Server information flaws, mitigating codification execution and authentication bypass risks.
The aforesaid week, VMware fixed an ESXi zero-day exploited by Chinese authorities hackers successful information theft attacks and alerted customers to an actively exploited captious flaw successful nan Aria Operations for Networks analytics tool, which has since been patched.