Written by Yann Lehmann with the support of Scott Emerson of the Kudelski Security Threat Detection & Research Team
Summary
VMware has released security updates to address a critical vulnerability in VMware vCenter Server, tracked as CVE-2023-34048. This vulnerability, with a CVSS score of 9.8, is an out-of-bounds write issue in the implementation of the DCE/RPC protocol. It allows a malicious actor with network access to vCenter Server to trigger an out-of-bounds write, potentially leading to remote code execution.
Affected Systems and/or Application
The following supported versions of VMWare are affected by the vulnerabilities:
- VMware vCenter Server 7.0 & 8.0
- VMware Cloud Foundation (VMware vCenter Server) 4.x & 5.x
Unsupported version 6.x is also affected.
Attack Overview
VMware vCenter Server is affected by an out-of-bounds write vulnerability within the DCE/RPC protocol implementation. DCE/RPC, an abbreviation for “Distributed Computing Environment / Remote Procedure Calls,” is a remote procedure call system created for the Distributed Computing Environment (DCE). This technology enables developers to design distributed software that operates seamlessly as if it were all running on a single computer, eliminating the need to manage the intricacies of the underlying network code.
The severity of this issue is rated as Critical. An attacker with network access to vCenter Server can exploit this vulnerability, potentially leading to remote code execution, but apart from the fact that the specific network ports involved in this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp, no further technical details have been made available at the time of writing. This vulnerability has been reported by Trend Micro Zero Day Initiative and at the time of writing there are no indications of it being exploited in the wild. However, due to the nature of the vulnerability the CFC expects to see exploitation in a very short timeframe.
Temporary Workarounds and Mitigations
No viable in-product workarounds are available but the CFC advises making sure that the network access to vCenter Server is correctly protected by security architecture. The specific network ports involved in this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp.
To remediate CVE-2023-34048, apply the recommended updates listed below to affected deployments:
- VMware vCenter Server 8.0: Update to version 8.0U1d/8.0U2
- VMware vCenter Server 7.0: Update to version 7.0U3o.
- VMware Cloud Foundation (VMware vCenter Server) 5.x, 4.x, 3.x: Refer to KB88287
What the Cyber Fusion Center (CFC) is doing
At the time of writing there are no vulnerability scan for CVE-2023-34048 but as soon as the plugins are available and vulnerability scans have run, client with relevant service with the CFC will receive case if applicable.
The CFC will continue to monitor the situation and depending on the situation decide for a threat hunting campaign if the relevant data are available and actionable.
Kudelski Security Research 