VMware on Wednesday issued security updates to fix a critical (9.8) vCenter Server vulnerability that attackers can exploit to launch a remote code execution (RCE) attack on unpatched servers.
Nearly 10,000 companies use vCenter Server to manage and monitor virtual infrastructure. "A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution," according to VMware.
The vulnerability — CVE-2023-34048 — was reported by Grigory Dorodnov of Trend Micro's Zero Day Initiative and is classified as an out-of-bounds write weakness in vCenter's DCE/RPC protocol implementation.
A second vulnerability — CVE-2023-34056 — in VMware vCenter Server was reported by Oleg Moshkov of Deiteriy Lab OÜ. The bug was reported as a partial information disclosure vulnerability that could let an attacker with non-administrative privileges access unauthorized data.
Both of these vulnerabilities also affect products that contain vCenter Server, including vSphere and VMware Cloud Foundation.
Click for more special coverage
Because of the popularity of vSphere and vCenter Server both products are favorite targets of attackers. Subsequently, security teams have had to focus on multiple bugs impacting vCenter Server for the past year.
VMware said while it tends not to mention end-of-life products in its advisories, because of the critical nature of this new vulnerability and the lack of a workaround VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware made additional patches available for vCenter Server 8.0U1.