Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VMware vCenter Flaw So Critical, Patches Released for End-of-Life Products

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.

VMware zero-day CVE-2023-20867 exploited

Virtualization technology powerhouse VMware is calling urgent attention to a critical remote code execution flaw haunting its vCenter Server and VMware Cloud Foundation products.

The company said the vulnerability, tagged as CVE-2023-34048, allows a malicious hacker with network access to launch remote code execution exploits.

A critical-severity advisory from VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol.  The company flagged the bug with a CVSS severity score of 9.8/10.

Due to the critical nature of this issue, VMware also released patches for older, end-of-life products, including vCenter Server 6.7U3, 6.5U3, VCF 3.x, and vCenter Server 8.0U1. Asynchronous vCenter Server patches for VCF 5.x and 4.x are also available.

The bulletin also documents a second moderate-severity flaw — CVE-2023-34056 — that could lead to the partial disclosure of information.

A malicious actor with non-administrative privileges can exploit this to access unauthorized data, VMware said, urging vCenter Server and Cloud Foundation users to urgently apply the available updates.

In a separate advisory covering security problems in VMware Aria Operations for Logs, the company warned that exploit code for an authentication bypass flaw has been published online, adding to the urgency to apply available patches.

“An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution,” VMWare warned.

Advertisement. Scroll to continue reading.

The VMware Aria Operations for Logs vulnerability, tracked as CVE-2023-34051, carries a maximum CVSSv3 base score of 8.1/10.  

Related: Exploit Code Published for Critical-Severity VMware Security Defect

Related: VMware Patches Major Security Flaws in Network Monitoring Product

Related: VMware Patches Code Execution Vulnerabilities in vCenter Server

Related:VMware Confirms Live Exploits Hitting Just-Patched Security Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.