VMware has rolled out security patches to rectify a critical flaw in its vCenter Server, which if exploited, could enable remote code execution attacks on vulnerable servers. The vCenter Server works as the central management hub for VMware's vSphere suite and assists administrators in managing and monitoring virtualized infrastructure.
The vulnerability, tagged as CVE-2023-34048, was brought to light by Grigory Dorodnov from Trend Micro's Zero Day Initiative. The flaw is attributed to an out-of-bounds write weakness in the DCE/RPC protocol implementation of vCenter. This vulnerability can be exploited remotely by unauthenticated attackers in low-complexity attacks that do not need user interaction. As of now, VMware has not found any evidence of the CVE-2023-34048 RCE bug being exploited in attacks.
Security patches that address this issue are now available via the standard vCenter Server update mechanisms. Owing to the critical nature of this bug, VMware has also released patches for several end-of-life products that are no longer actively supported. The company stated, "While VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x." It added that additional patches have been made available for vCenter Server 8.0U1. Async vCenter Server patches for VCF 5.x and 4.x deployments have also been released.
Since there's no workaround, VMware is advising admins to strictly regulate network perimeter access to vSphere management components and interfaces, including storage and network components. The network ports that could potentially be exploited in attacks targeting this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp.
Alongside this, VMware also patched a partial information disclosure vulnerability with a 4.3/10 severity CVSS base score, identified as CVE-2023-34056. This vulnerability could be used by threat actors with non-administrative privileges to vCenter servers to access sensitive data. In a separate FAQ document, VMware stated, "This would be considered an emergency change, and your organization should consider acting quickly. However, all security response depends on context. Please consult with your organization's information security staff to determine the right course of action for your organization."
Earlier in June, VMware patched several high-severity vCenter Server security flaws, mitigating code execution and authentication bypass risks. In the same week, VMware fixed an ESXi zero-day exploited by Chinese state hackers in data theft attacks and alerted customers to an actively exploited critical flaw in the Aria Operations for Networks analytics tool, which has since been patched.