VMware vCenter Server is vulnerable to out-of-bounds write (CVE-2023-34048) and partial information disclosure (CVE-2023-34056) vulnerabilities. Successful exploitation of the vulnerabilities may result in access to critical data and remote code execution.
CISA has added the CVE-2023-34048 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before February 12, 2024.
VMware vCenter is an advanced server management software. The software has a centralized platform for controlling vSphere environments for visibility across hybrid clouds. The software protects the vCenter Server Appliance and related services with native high availability (HA) and a recovery time objective of less than 10 minutes.
CVE-2023-34048: VMware vCenter Server Out-of-Bounds Write Vulnerability
Grigory Dorodnov of Trend Micro Zero Day Initiative has discovered and reported the vulnerability to VMware. CVE-2023-34048 has been given a critical severity rating with a CVSS base score of 9.8.
The out-of-bounds write vulnerability exists in the implementation of the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol. The protocol is used in the modern Internet for remote procedure calls. An attacker with network access to the vCenter Server may perform remote code execution on the target system by exploiting the vulnerability.
Notes:
- While VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround, VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.
- Async vCenter Server patches for VCF 5.x and 4.x deployments have been available. Please see KB88287 for more information.
CVE-2023-34056: VMware vCenter Server Partial Information Disclosure Vulnerability
Oleg Moshkov of Deiteriy Lab OÜ has discovered and reported the vulnerability to VMware. CVE-2023-34056 has been given a moderate severity rating with a CVSSv3 base score of 4.3. An attacker does not require any administrative privileges to the vCenter Server to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to access unauthorized data.
Affected Versions
- VMware vCenter Server Virtual Appliance 8.0 before build 22368047
- VMware vCenter Server Virtual Appliance 8.0 before build 22385739
- VMware vCenter Server Virtual Appliance 7.0 before build 22357613
Mitigation
Customers must upgrade to VMware vCenter Server versions 8.0U2, 8.0U1d, and 7.0U3o to patch the vulnerabilities.
For more information about the mitigation, please refer to VMware Security Advisory (VMSA-2023-0023).
Qualys Detection
Qualys customers can scan their devices with QIDs 216315, 216316, and 216317 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.vmware.com/security/advisories/VMSA-2023-0023.html