VMware VMSA-2023-0014

Introduction

‍

VMware has released a new Important VMSA-2023-0014 for VMware vCenter, affecting versions 7.0 and 8.0.

What is VMSA-2023-0014?

‍

Multiple vulnerabilities have been identified in the implementation of the DCE/RPC protocol used by vCenter Server. The protocol was originally designed for distributed computing environments and unifies communication between different software systems and components. 

‍

Due to the nature of the protocol, all CVEs are remotely exploitable, requiring only network access to the vCenter Server. At the time of writing, the exploit is not available and the exploit does not appear to be trivial, but that could change quickly.

‍

How  CVEs works

CVE-2023-20892 describes a heap overflow vulnerability due to the use of uninitialized memory and CVE-2023-20893 describes a use-after-free vulnerability. Both allow an attacker to execute arbitrary code on the underlying operating system on which vCenter Server is running.

‍

CVE-2023-20894 states that a malicious actor could trigger an out-of-bounds write by sending a specially crafted packet that results in memory corruption, and CVE-2023-20895 is a bug that allows a malicious actor to trigger a memory corruption vulnerability that could bypass authentication.

‍

The above CVEs are rated as Important Vulnerability. CVE-2023-20896, the last one on the list, is rated as Moderate. It contains an out-of-bounds read vulnerability. This can be exploited by sending a specially crafted packet that results in a denial of service of certain services (vmcad, vmdird, and vmafdd).

‍

How to patch these vulnerabilities

‍

All CVEs affect vCenter versions 7.0 and 8.0. There is no workaround for any of them and the only solution is to patch vCenter 7.0 to version 7.0 U3m and vCenter 8.0 to 8.0 U1b. Runecast definitions update 6.5.6.3, which was just released, has the VMSA covered. Please make sure to update the definitions in your Runecast appliance in order to have your environments evaluated correctly.

‍

The original VMSA article is available here.

‍

How Runecast protects against VMSA-2023-0014

Runecast helps you automate the security of your workloads

‍

Cybersecurity is a constantly changing field, and new threats are constantly emerging. By keeping up to date with the latest intelligence, organisations can ensure that their defences are up to date and effective against the latest threats – especially when those ‘latest threats’ were patched 2 years ago. Ultimately, identification of threats and their remediation steps is not the only step, as knowledge is useless without action.

‍

Runecast helps you reduce the risk of falling victim to this kind of attack by providing:

‍

1. The most sophisticated and complete VMware vulnerability and security hardening assessment with our patented rules engine.
2. Prioritisation of vulnerabilities based on their severity levels and known exploited vulnerabilities information.
3. Fastest vulnerability and security standard release cycle thanks to the Runecast AI Knowledge Automation Platform.
4. Best time to value on the market, with 15-minute agentless deployment and results.
5. Unmatched secure deployment methods supporting air-gapped environments.
6. Remediation capabilities.

‍

By using Runecast regularly and following its recommendations, you can:

‍

• Maintain a hardened configuration to reduce attack surface.
• Save time by automating remediation.
• Stay free of critical vulnerabilities with known exploits prioritisation.
• Greatly reduce the risk of any malware, including ransomware, from compromising your systems.

‍

Runecast is a powerful AI-driven platform that can help you reduce the risk of falling victim to a VMware targeted ransomware attack. While there is no solution that can guarantee 100% prevention, Runecast will give you the best chance of avoiding a costly and damaging attack.

‍