VMware has patched several very serious security vulnerabilities in vCenter Server, which may allow attackers to obtain code execution and bypass authentication on unpatched systems.
vCenter Server is VMware’s vSphere Suite control center and server management solution that helps administrators manage and monitor virtualized infrastructure.
The security bugs were found in the implementation of the DCE/RPC protocol used by vCenter Server. This protocol enables seamless operation across multiple systems by creating a unified virtual computing environment.
VMware today released security updates for four high-severity bugs, including heap overflow (CVE-2023-20892), use-after-free (CVE-2023-20893), out-of-bounds read (CVE-2023-20895), out-of-bounds write flaws (CVE-2023-20894).
The first two (CVE-2023-20892, CVE-2023-20893) can be exploited by unauthenticated attackers with network access to achieve code execution in very complex attacks that do not require user interaction. user and could lead to a total loss of confidentiality, integrity and availability.
“vCenter Server contains a heap overflow vulnerability due to uninitialized memory usage in the DCERPC protocol implementation,” vmware said.
“A malicious actor with network access to vCenter Server can exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server.”
Threat actors targeting CVE-2023-20895 can trigger out-of-bounds read and memory corruption, allowing them to bypass authentication on unpatched vCenter Server appliances.
A fifth vCenter Server out-of-bounds read vulnerability identified as CVE-2023-20896 can be remotely exploited in denial of service attacks targeting multiple VMware services on the target host (e.g., vmcad, vmdird, vmafdd).
All of the vulnerabilities discussed today were discovered and reported by Cisco Talos security researchers Dimitrios Tatsis and Aleksandar Nikolic.
Last week, VMware patched an ESXi zero-day exploited by Chinese state hackers to hijack Windows and Linux virtual machines to steal data.
Tuesday, the company also warned customers that a critical vulnerability now patched in the Aria Operations for Networks scanning tool is now being actively exploited in attacks.