VMware has recently resolved a number of high-severity security vulnerabilities in its vCenter Server. These flaws could enable attackers to execute code and bypass authentication on systems that have not been updated. vCenter Server serves as the control center for VMware's vSphere suite, and is a server management solution that assists administrators in managing and monitoring virtualized infrastructure. The security issues discovered were found in the DCE/RPC protocol implementation utilized by vCenter Server. The protocol allows for smooth operation across multiple systems by creating a virtual unified computing environment.
VMware has released security updates for four high-severity bugs, which include heap-overflow (CVE-2023-20892), use-after-free (CVE-2023-20893), out-of-bounds read (CVE-2023-20895), and out-of-bounds write (CVE-2023-20894) vulnerabilities. The first two (CVE-2023-20892, CVE-2023-20893) can be exploited by unauthenticated attackers with network access to execute code in high-complexity attacks that do not require user interaction. These attacks could lead to a complete loss of confidentiality, integrity, and availability. "The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol," VMware stated. "A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server."
Threat actors targeting CVE-2023-20895 can trigger an out-of-bounds read and memory corruption, which would allow them to bypass authentication on unpatched vCenter Server appliances. Additionally, a fifth vCenter Server out-of-bounds read vulnerability, tracked as CVE-2023-20896, can be exploited remotely in denial-of-service attacks aimed at multiple VMware services on the target host (e.g., vmcad, vmdird, vmafdd).
All of the vulnerabilities addressed in this update were discovered and reported by Cisco Talos security researchers Dimitrios Tatsis and Aleksandar Nikolic. Just last week, VMware patched an ESXi zero-day that was being exploited by Chinese state hackers to infiltrate Windows and Linux virtual machines in order to steal data. Furthermore, on Tuesday, the company warned customers that a now-fixed critical vulnerability in the Aria Operations for Networks analytics tool is currently being actively exploited in attacks.