The leading virtualization and cloud tech provider VMware has disclosed a critical vulnerability with a score of 9.8 out of 10, affecting its vCenter Server. The flaw, which the company urges users to patch, allows hackers to execute remote code.
vCenter Server is used to administer and oversee virtualized environments. It provides a unified interface to efficiently manage multiple hosts’ virtual machines, storage, and networking resources.
VMware reported that the vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCE/RPC protocol (Distributed Computing Environment/Remote Procedure Call). This protocol is used for communication between applications distributed across a network.
“VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8,” the initial security advisory reads.
Updates in the affected VMware products are available to remediate the vulnerabilities (CVE-2023-34048, CVE-2023-34056). The company warned that there are no workarounds, urging customers to update to the fixed version of the software. This means the end-of-life of older vCenter Server versions.
VMware thanked Grigory Dorodnov of Trend Micro Zero Day Initiative for reporting the issue.
The flaw allows malicious actors to access unauthorized data with non-admin administrative privileges.
“A malicious actor with network access to vCenter Server may trigger an out-of-bounds write, potentially leading to remote code execution,” the report reads.
VMware provides software products and services to major banks, telecommunication companies, and the UK government, among other institutions. The company is being acquired by Broadcom.