VMware released security updates to five memory corruption vulnerabilities (CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895, CVE-2023-20896) in vCenter Server that could lead to remote code execution.
The memory corruption vulnerabilities reside in the software’s implementation of the DCERPC protocol.
One of the most severe flaws addressed by the IT giant is a heap-overflow issue tracked as CVE-2023-20892 (CVSS score of 8.1.).
“The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol.” reads the advisory published by the company.
The vulnerability was reported to VMware by Aleksandar Nikolic from Cisco.
The company also fixed a use-after-free vulnerability, tracked as CVE-2023-20893 (CVSS score of 8.1.), in the implementation of the DCERPC protocol.
VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.
“A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server.” continues the advisory.
The remaining issues addressed by the virtualization giant are out-of-bounds write vulnerability tracked CVE-2023-20894 (CVSS score of 8.1.), CVE-2023-20895 (CVSS score of 8.1.), and CVE-2023-20894 (CVSS score of 5.9.).
The company addressed the issues with the release of vCenter Server and Cloud Foundation versions 8.0 U1b and 7.0 U3m. The company also released Async patches for VCF customers.
The good news is that the company is not aware of any attacks in the wild exploiting the above issues.
(SecurityAffairs – hacking, virtualization)