VMware Addresses Multiple Vulnerabilities in vCenter Server (CVE-2023-34048 & CVE-2023-34056)

Qualys Security Advisory

VMware vCenter Server is vulnerable to out-of-bounds write (CVE-2023-34048) and partial information disclosure (CVE-2023-34056) vulnerabilities. Successful exploitation of the vulnerabilities may result in access to critical data and remote code execution.

VMware vCenter is an advanced server management software. The software has a centralized platform for controlling vSphere environments for visibility across hybrid clouds. The software protects the vCenter Server Appliance and related services with native high availability (HA) and a recovery time objective of less than 10 minutes.

CVE-2023-34048: VMware vCenter Server Out-of-Bounds Write Vulnerability

Grigory Dorodnov of Trend Micro Zero Day Initiative has discovered and reported the vulnerability to VMware. CVE-2023-34048 has been given a critical severity rating with a CVSS base score of 9.8.

The out-of-bounds write vulnerability exists in the implementation of the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol. The protocol is used in the modern Internet for remote procedure calls. An attacker with network access to the vCenter Server may perform remote code execution on the target system by exploiting the vulnerability.

Notes:

  • While VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround, VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.
  • Async vCenter Server patches for VCF 5.x and 4.x deployments have been available. Please see KB88287 for more information.

CVE-2023-34056: VMware vCenter Server Partial Information Disclosure Vulnerability

Oleg Moshkov of Deiteriy Lab OÜ has discovered and reported the vulnerability to VMware. CVE-2023-34056 has been given a moderate severity rating with a CVSSv3 base score of 4.3. An attacker does not require any administrative privileges to the vCenter Server to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to access unauthorized data.

Affected Versions

  • VMware vCenter Server Virtual Appliance 8.0 before build 22368047
  • VMware vCenter Server Virtual Appliance 8.0 before build 22385739
  • VMware vCenter Server Virtual Appliance 7.0 before build 22357613

Mitigation

Customers must upgrade to VMware vCenter Server versions 8.0U2, 8.0U1d, and 7.0U3o to patch the vulnerabilities.

For more information about the mitigation, please refer to VMware Security Advisory (VMSA-2023-0023).

Qualys Detection

Qualys customers can scan their devices with QIDs 216315 and 216316 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

READ MORE