VMware patches critical vulnerability in vCenter Server (CVE-2023-34048)

VMware has fixed a critical out-of-bounds write vulnerability (CVE-2023-34048) and a moderate-severity information disclosure flaw (CVE-2023-34056) in vCenter Server, its popular server management software.

About CVE-2023-34048 and CVE-2023-34056

CVE-2023-34048 allows an attacker with network access to a vulnerable vCenter Server virtual appliance to trigger an out-of-bounds write that can lead to remote code execution.

It has been reported by Grigory Dorodnov of Trend Micro Zero Day Initiative and there are no indications of it being exploited in the wild.

A second vulnerability (CVE-2023-34056) in the VMware vCenter Server has been reported by Oleg Moshkov of Deiteriy Lab OÜ. It is a partial information disclosure vulnerability that could allow an attacker with non-administrative privileges to access unauthorized data.

Both vulnerabilities also affect products that contain vCenter Server, i.e., vSphere and Cloud Foundation (VCF).

No workarounds are available, so users are urged to update to the fixed versions as soon as possible.

“Due to the critical severity of this vulnerability and lack of workaround VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1,” the company said.

Asynchronous vCenter Server patches for VCF 5.x and 4.x deployments are also available.

“There may be other mitigations available in your organization depending on your security posture, defense-in-depth strategies, and configurations of perimeter firewalls and appliance firewalls. All organizations must decide for themselves whether to rely on those protections,” the company added.

While VMware went public with the vulnerabilities today, some of the security updates containing the fixes have been released in late September. If you’re a vCenter Server admin and generally quick to update, your installations might already be safe from exploitation.

Vulnerable VMware products and PoCs

In June, a critical pre-authentication command injection vulnerability (CVE-2023-20887) in VMware Aria Operations for Network was observed being exploited in the wild.

On Monday, the company confirmed that a proof of concept exploit for a high-severity authentication bypass vulnerability (CVE-2023-34051) in Aria Operations for Logs, its popular log storage and analysis tool, had been published.

UPDATE (January 19, 2024, 08:42 a.m. ET):

“VMware has confirmed that exploitation of CVE-2023-34048 has occurred in the wild,” the company noted in the updated security advisory.

UPDATE (January 22, 2024, 05:00 a.m. ET):

Mandiant says that a highly advanced China-backed espionage group “has been exploiting CVE-2023-34048 as far back as late 2021.”