VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server.
Since there are no in-product workarounds, customers are advised to apply the updates urgently.
The affected products are VMware vCenter Server versions 7.0 and 8.0 and VMware Cloud Foundation versions 5.x and 4.x.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are CVE-2023-34048 and CVE-2023-34056.
CVE-2023-34048, an out-of-bounds write vulnerability in the vCenter Server’s implementation of the DCERPC protocol. A malicious actor with network access to could trigger an out-of-bounds write, potentially leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.8 out of 10.
DCE/RPC, which is short for “Distributed Computing Environment / Remote Procedure Calls”, is the remote procedure call system developed to allow programmers to write distributed software as if it were all working on the same computer, without having to worry about the underlying network code.
An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.
VMware is not currently aware of exploitation “in the wild,” but urges customers to considered this an emergency change, and your organization should consider acting quickly.
CVE-2023-34056, a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server could use this issue to access unauthorized data. It has a CVSS score 4.3 out of 10.
Patching
While VMware normally does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and the lack of a workaround, VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.
Fixed version(s) and release notes:
VMware vCenter Server 8.0U2
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105
VMware vCenter Server 8.0U1d
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U1D&productId=1345&rPId=112378
VMware vCenter Server 7.0U3o
Downloads and Documentation:
https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262
Cloud Foundation 5.x/4.x
https://kb.vmware.com/s/article/88287
VMWare also published an FAQ about this update.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.
