Get in Touch
VMware updates patches for several memory corruption vulnerabilities
Target Industry
Indiscriminate, opportunistic attacks.
Overview
A researcher at Cisco Talos has disclosed several memory corruption vulnerabilities which have since been patched by an update released on 22nd June 2023 and are now tracked.
In total, five vulnerabilities were discovered that use out-of-bounds reading to allow an attacker to bypass authentication, corrupt memory and execute malicious code on vCenter servers. These vulnerabilities are tracked as:
CVE-2023-20892 (CVSSv3 score: 8.1)
A heap overflow vulnerability caused by uninitialized memory of the distributed computing environment / remote procedure calls (DCERPC) protocol, an attacker can execute malicious code on a vCenter’s operating system:
CVE-2023-20893 (CVSSv3 score: 8.1)
A mishandling of memory pointers in a free-after-use vulnerability in the DCERPC protocol malicious code execution on the vCenter’s operating system is possible:
CVE-2023-20894 (CVSSv3 score: 8.1)
A write vulnerability that allows data to be written past the end or before the beginning of the intended buffer and can be used for memory corruption:
CVE-2023-20895 (CVSSv3 score: 8.1)
A memory corruption vulnerability within DCERPC that can be used to bypass authentication given an attacker has network access to the vCenter server:
CVE-2023-20896 (CVSSv3 score: 5.9)
A write vulnerability that allows data to be written past the end or before the beginning of the intended buffer and can be used for denial of certain VMware services.
Impact
If these vulnerabilities were used to target a vCenter server they would allow an attacker to enumerate a server using DoS attacks, bypass authentication used by the server and execute malicious code to gain access. With access to a vCenter server an attacker would be able to access, modify and exfiltrate data for monetary gain from any virtual machine associated with the server or disrupt key organisational systems for the purpose of impact.
Vulnerability Detection
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against threats. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.
Affected Products
VMware vCenter server.
Containment, Mitigations & Remediations
As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.
All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Threat Landscape
VMware occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, VMware products have become a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of both personal and business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive information contained therein.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Execution
T1623 – Command and Scripting Interpreter
Impact
T0809 – Data Destruction
T1499 – Endpoint Denial of Service
Further Information
