VMware vCenter Server Vulnerabilities Pose Remote Exploitation Risk

Image Credit by Pixabay

VTA-004474 – VMware vCenter Server Vulnerabilities Pose Remote Exploitation Risk

VMware released a security advisory addressing vulnerabilities (CVE-2023-34048, CVE-2023-34056) in VMware vCenter Server, focusing on an out-of-bounds write flaw and partial information disclosure. The critical severity (CVSSv3 base score of 9.8) out-of-bounds write vulnerability in vCenter Server’s DCERPC protocol implementation could be exploited remotely by a cyber actor to seize control of the affected system. The products affected are VMware vCenter Server and VMware Cloud Foundation. While in-depth analysis reveals potential remote code execution via this flaw, VMware recommends using updates from the ‘Response Matrix’ to fix CVE-2023-34048, as in-product workarounds were deemed impractical. The security disclosure emphasises the importance of addressing these vulnerabilities to reduce the risk of unauthorised system access.

Severity:
Medium

Attack Surfaces:
Cloud Service, Endpoint OS, Remote Access Service, Server OS

Tactics:
Collection, Defense Evasion, Discovery, Execution, Exfiltration, Impact, Initial Access, Lateral Movement, Persistence, Privilege Escalation

Technique:
T1003 – OS Credential Dumping
T1035 – Service Execution
T1046 – Network Service Scanning
T1059 – Command and Scripting Interpreter
T1068 – Exploitation for Privilege Escalation
T1073 – DLL Side-Loading
T1076 – Remote Desktop Protocol
T1077 – Windows Admin Shares
T1082 – System Information Discovery
T1204 – User Execution
T1219 – Remote Access Software
T1529 – System Shutdown/Reboot
T1543 – Create or Modify System Process
T1561 – Disk Wipe
T1566 – Phishing

References:
1. https://www.vmware.com/security/advisories/VMSA-2023-0023.html
2. https://www.mycert.org.my/portal/advisory?id=MA-1022.012024

SuperPRO’s Threat Countermeasures Procedures: 
1. Update VMware vCenter Server to the latest version
2. Follow the VMware documentation for patching procedures and considerations.
3. Isolate vCenter Server from other network segments to limit potential attacker access.
4. Disable unnecessary services on vCenter Server to reduce the attack surface.
5. Implement multi-factor authentication (MFA) for all vCenter Server accounts.
6. Implement security monitoring solutions to detect and respond to potential malicious activities on vCenter Server.
7. Regularly back up critical data and systems.

Contributed by: Kai Sheng