VMware Releases Patch for Critical vCenter Server RCE Vulnerability

Oct 25, 2023NewsroomVulnerability / Cyber ​​Threat

The vCenter Server RCE Vulnerability

VMware has released security updates to address a critical flaw in vCenter Server that could result in remote code execution on affected systems.

The issue, tracked as CVE-2023-34048 (CVSS score: 9.8), described as an out-of-bounds write vulnerability in the implementation of DCE/RPC protocol.

“A malicious actor with network access to vCenter Server could trigger an out-of-bounds write that could potentially lead to remote code execution,” VMware SAYS in an advisory published today.

Cybersecurity

Credited with discovering and reporting the bug is Grigory Dorodnov of the Trend Micro Zero Day Initiative.

VMware said that there are no workarounds to mitigate the vulnerabilities and security updates are being made available in the following software versions –

  • VMware vCenter Server 8.0 (8.0U1d or 8.0U2)
  • VMware vCenter Server 7.0 (7.0U3o)
  • VMware Cloud Foundation 5.x and 4.x

Due to the criticality of the defect and the lack of temporary mitigations, the virtualization services provider said that it also developed a patch for vCenter Server 6.7U3, 6.5U3, and VCF 3.x.

Cybersecurity

The latest update further addresses CVE-2023-34056 (CVSS score: 4.3), a partial information disclosure vulnerability affecting vCenter Server that could allow a malicious actor with non-administrative privileges to access unauthorized data.

VMware, in a separate FAQsays it is not aware of in-the-wild exploits of the flaws, but recommends customers act quickly to apply patches as soon as possible to mitigate any potential threats.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment