VMware fixes vCenter Server bugs allowing code execution, auth bypass

VMware has addressed multiple high-severity security flaws in vCenter Server, which can let attackers gain code execution and bypass authentication on unpatched systems.

vCenter Server is the control center for VMware's vSphere suite and a server management solution that helps admins manage and monitor virtualized infrastructure.

The security bugs were found in the DCE/RPC protocol implementation used by vCenter Server. This protocol enables seamless operation across multiple systems by creating a virtual unified computing environment.

VMware has issued security updates for four high-severity bugs today, including heap-overflow (CVE-2023-20892), use-after-free (CVE-2023-20893), out-of-bounds read (CVE-2023-20895), out-of-bounds write (CVE-2023-20894) flaws.

The first two (CVE-2023-20892, CVE-2023-20893) can be exploited by unauthenticated attackers with network access to gain code execution in high-complexity attacks that don't require user interaction and could result in total loss of confidentiality, integrity, and availability.

"The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol," VMware said.

"A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server."

​Threat actors targeting CVE-2023-20895 may trigger an out-of-bounds read and memory corruption, allowing them to bypass authentication on unpatched vCenter Server appliances.

A fifth vCenter Server out-of-bounds read vulnerability tracked as CVE-2023-20896 can be exploited remotely in denial-of-service attacks targeting multiple VMware services on the target host (e.g., vmcad, vmdird, vmafdd).

All vulnerabilities addressed today were found and reported by Cisco Talos security researchers Dimitrios Tatsis and Aleksandar Nikolic.

Last week, VMware patched an ESXi zero-day exploited by Chinese state hackers to backdoor Windows and Linux virtual machines to steal data.

On Tuesday, the company also warned customers that a now-patched critical vulnerability in the Aria Operations for Networks analytics tool is now actively exploited in attacks.