In response to a serious security concern, VMware has swiftly released crucial updates to rectify a critical flaw detected in the vCenter Server software, capable of enabling remote code execution on vulnerable systems.
The flaw, identified as CVE-2023-34048 with a CVSS score of 9.8, is described as an out-of-bounds write vulnerability within the DCE/RPC protocol implementation. VMware stated in a recently published advisory that a malevolent actor with network access to vCenter Server could exploit this flaw, potentially leading to remote code execution.
The discovery and reportage of this vulnerability are credited to Grigory Dorodnov of Trend Micro Zero Day Initiative.
Unfortunately, there are no viable workarounds to mitigate this vulnerability. Consequently, VMware has promptly issued security updates, addressing this flaw in the following versions of the software:
- VMware vCenter Server 8.0 (8.0U1d or 8.0U2)
- VMware vCenter Server 7.0 (7.0U3o)
- VMware Cloud Foundation 5.x and 4.x
Recognizing the critical nature of this vulnerability and the absence of temporary solutions, VMware has gone a step further by providing a patch for vCenter Server 6.7U3, 6.5U3, and VCF 3.x.
Furthermore, this latest update tackles CVE-2023-34056, a partial information disclosure vulnerability impacting vCenter Server with a CVSS score of 4.3. This flaw could potentially allow a threat actor with non-administrative privileges to gain access to unauthorized data.
While VMware has not detected any instances of real-world exploitation of these vulnerabilities, the company has strongly urged customers to take immediate action. Specifically, customers are advised to swiftly apply the patches to their systems to mitigate any potential threats.
It is paramount for organizations using VMware’s vCenter Server to act urgently, ensuring their systems are promptly updated to prevent any exploitation of these critical vulnerabilities.