VMware fixes critical code execution flaw in vCenter Server

VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers.

vCenter Server is the central management hub for VMware's vSphere suite, and it helps administrators manage and monitor virtualized infrastructure.

The vulnerability (CVE-2023-34048) was reported by Grigory Dorodnov of Trend Micro's Zero Day Initiative and is due to an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation.

Unauthenticated attackers can exploit it remotely in low-complexity attacks that don't require user interaction. The company says it has no evidence that the CVE-2023-34048 RCE bug is currently used in attacks.

Security patches addressing this issue are now accessible through the standard vCenter Server update mechanisms. Due to the critical nature of this bug, VMware has also issued patches for multiple end-of-life products that are no longer under active support.

"While VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x," the company said.

"For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1. Async vCenter Server patches for VCF 5.x and 4.x deployments have been made available."

No workaround available

Because a workaround is unavailable, VMware urges admins to strictly control network perimeter access to vSphere management components and interfaces, including storage and network components.

The specific network ports linked to potential exploitation in attacks targeting this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp.

The company also patched a partial information disclosure vulnerability with a 4.3/10 severity CVSS base score tracked as CVE-2023-34056 that may be leveraged by threat actors with non-administrative privileges to vCenter servers to access sensitive data.

"This would be considered an emergency change, and your organization should consider acting quickly," VMware said in a separate FAQ document.

"However, all security response depends on context. Please consult with your organization's information security staff to determine the right course of action for your organization."

In June, VMware patched multiple high-severity vCenter Server security flaws, mitigating code execution and authentication bypass risks.

The same week, VMware fixed an ESXi zero-day exploited by Chinese state hackers in data theft attacks and alerted customers to an actively exploited critical flaw in the Aria Operations for Networks analytics tool, which has since been patched.