VMware has released security updates to address a critical flaw in the vCenter Server that could result in remote code execution on affected systems.
The issue, tracked as CVE-2023-34048 (CVSS score: 9.8), has been described as an out-of-bounds write vulnerability in the implementation of the DCE/RPC protocol.
“A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution,” VMware said in an advisory published today.
Credited with discovering and reporting the flaw is Grigory Dorodnov of Trend Micro Zero Day Initiative.
VMware said that there are no workarounds to mitigate the shortcoming and that security updates have been made available in the following versions of the software –
- VMware vCenter Server 8.0 (8.0U1d or 8.0U2)
- VMware vCenter Server 7.0 (7.0U3o)
- VMware Cloud Foundation 5.x and 4.x
Given the criticality of the flaw and the lack of temporary mitigations, the virtualization services provider said it’s also making available a patch for vCenter Server 6.7U3, 6.5U3, and VCF 3.x.
The latest update further addresses CVE-2023-34056 (CVSS score: 4.3), a partial information disclosure vulnerability impacting the vCenter Server that could enable a bad actor with non-administrative privileges to access unauthorized data.
VMware, in a separate FAQ, said it’s not aware of in-the-wild exploitation of the flaws, but has recommended customers to act quickly to apply the patches as soon as possible to mitigate any potential threats.