WARNING: Two new vulnerabilities in VMware vCenter Server
CVE-2023-34048 - 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-34056 - 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Sources
https://www.vmware.com/security/advisories/VMSA-2023-0023.html
Risks
The critical vulnerability affecting VMware vCenter Server has a HIGH impact on Confidentiality, Integrity, and Availability. No user interaction is required to exploit this vulnerability and the attack complexity is low.
VMware is not currently aware of exploitation “in the wild.”
Description
CVE-2023-34048: Out-of-Bounds Write Vulnerability
VMware vCenter Server is affected by an out-of-bounds write vulnerability in the implementation of the DCERPC protocol.
An attacker with network access to vCenter Server can trigger an out-of-bounds write that can potentially lead to remote code execution.
CVE-2023-34056: Partial Information Disclosure
VMWare vCenter Server contains a partial information disclosure vulnerability.
An attacker with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends system administrators to visit VMWare’s software download pages and install the patched versions of this software.
- For VMware vCenter Server version 7.0 please patch to version 7.0U3o: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262
- For VMware vCenter Server version 8.0 please patch to version 8.0U2: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105
- For VMware Cloud Foundation (VMware vCenter Server) versions 4.x and 5.x please apply patch KB88287: https://kb.vmware.com/s/article/88287
References
https://via.vmw.com/vmsa-2023-0023-qna