VMware fixes critical code execution flaw in vCenter Server

Trending 1 month ago
  1. Home
  2. Technology
  3. VMware fixes critical code execution flaw in vCenter Server

VMware

VMware issued information updates to hole a captious vCenter Server vulnerability that tin beryllium exploited to gain remote codification execution attacks connected susceptible servers.

vCenter Server is nan cardinal guidance hub for VMware's vSphere suite, and it helps administrators negociate and show virtualized infrastructure.

The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro's Zero Day Initiative and is owed to an out-of-bounds write weakness successful vCenter's DCE/RPC protocol implementation.

Unauthenticated attackers tin utilization it remotely successful low-complexity attacks that don't require personification interaction. The institution says it has nary grounds that nan CVE-2023-34048 RCE bug is presently utilized successful attacks.

Security patches addressing this rumor are now accessible done nan modular vCenter Server update mechanisms. Due to nan captious quality of this bug, VMware has besides issued patches for aggregate end-of-life products that are nary longer nether progressive support.

"While VMware does not mention end-of-life products successful VMware Security Advisories, owed to nan captious severity of this vulnerability and deficiency of workaround VMware has made a spot mostly disposable for vCenter Server 6.7U3, 6.5U3, and VCF 3.x," nan institution said.

"For nan aforesaid reasons, VMware has made further patches disposable for vCenter Server 8.0U1. Async vCenter Server patches for VCF 5.x and 4.x deployments person been made available."

No workaround available

Because a workaround is unavailable, VMware urges admins to strictly power web perimeter entree to vSphere guidance components and interfaces, including retention and web components.

The circumstantial web ports linked to imaginable exploitation successful attacks targeting this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp.

The institution besides patched a partial accusation disclosure vulnerability pinch a 4.3/10 severity CVSS guidelines people tracked arsenic CVE-2023-34056 that whitethorn beryllium leveraged by threat actors pinch non-administrative privileges to vCenter servers to entree delicate data.

"This would beryllium considered an emergency change, and your statement should see acting quickly," VMware said successful a abstracted FAQ document.

"However, each information consequence depends connected context. Please consult pinch your organization's accusation information unit to find nan correct people of action for your organization."

In June, VMware patched multiple high-severity vCenter Server information flaws, mitigating codification execution and authentication bypass risks.

The aforesaid week, VMware fixed an ESXi zero-day exploited by Chinese authorities hackers successful information theft attacks and alerted customers to an actively exploited captious flaw successful nan Aria Operations for Networks analytics tool, which has since been patched.

Related Article

Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks

Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks

9 hours ago
Google Chrome's new cache change could boost performance

Google Chrome's new cache change could boost performance

11 hours ago
US Health Dept urges hospitals to patch critical Citrix Bleed bug

US Health Dept urges hospitals to patch critical Citrix Bleed bug

12 hours ago
The Week in Ransomware - December 1st 2023 - Police hits affiliates

The Week in Ransomware - December 1st 2023 - Police hits affiliates

1 day ago
TrickBot malware dev pleads guilty, faces 35 years in prison

TrickBot malware dev pleads guilty, faces 35 years in prison

1 day ago
Hackers use new Agent Raccoon malware to backdoor US targets

Hackers use new Agent Raccoon malware to backdoor US targets

1 day ago

Trending

1. Texas
2. FC Cincinnati
3. Duke Basketball
4. Kentucky basketball
5. Boise State football
6. Jalen Milroe
7. Tulane football
8. Suns
9. UFC
10. Florida State

Popular Article

These developers are doing something amazing with iPhone and iPad apps

These developers are doing something amazing with iPhone and iPad apps

12 hours ago
The best movies on Apple TV+ right now (December 2023)

The best movies on Apple TV+ right now (December 2023)

13 hours ago
7 best funny Christmas movies you should watch this holiday season

7 best funny Christmas movies you should watch this holiday season

13 hours ago
Google Chrome's new cache change could boost performance

Google Chrome's new cache change could boost performance

11 hours ago
iOS 17: How to share contacts using Apple’s amazing NameDrop feature

iOS 17: How to share contacts using Apple’s amazing NameDrop feature

15 hours ago
The Game Awards 2023: how to watch and what to expect

The Game Awards 2023: how to watch and what to expect

14 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.