VMware mitigates security threats with critical updates for vCenter Server
The virtualization company addresses five memory corruption vulnerabilities that could allow remote code execution
VMware, the global leader in virtualization, recently released software updates to fix several memory corruption vulnerabilities in its vCenter Server that could allow remote code execution. These updates aim to address five security flaws in the software's implementation of the DCERPC protocol. Four of these defects have been rated as 'major' by VMware, with a CVSS score of 8.1.
Description of the main vulnerabilities identified
Two of the vulnerabilities, identified as CVE-2023-20892 (heap buffer overflow due to uninitialized memory) and CVE-2023-20893 (use after release), could allow code execution, according to the alert by VMware. “A malicious actor with network access to the vCenter Server could exploit this issue to execute arbitrary code on the underlying operating system hosting the vCenter Server,” warns VMware. Next, CVE-2023-20894 represents a writable out-of-bounds, remotely explodeable bug that can be triggered through specially formulated packages to cause memory corruption.
Additional security flaws addressed
The fourth security flaw, CVE-2023-20895, is a memory corruption issue that can be exploited via the network to bypass authentication. VMware's update also addresses an important severity out-of-bounds read vulnerability that a malicious actor can remotely exploit to cause a DoS condition on services such as vmcad, vmdird, and vmafdd. Patches for all of these issues were included in vCenter Server and Cloud Foundation releases 8.0 U1b and 7.0 U3m. VMware has also released Async patches for VCF customers.
Security tips for VMware users
vCenter Server is advanced server management software for delivering virtual infrastructure across the hybrid cloud, included in vSphere and Cloud Foundation products. VMware recommends that all customers update to the correct versions of affected products, emphasizing that there is no workaround for any of these vulnerabilities. The company claims that it is not aware of any active exploitation of these defects in the field.
Follow us on Twitter for more pills like this06/23/2023 12:24
Editorial AI