Virtualization giant VMware has published software updates to address multiple memory corruption vulnerabilities in vCenter Server that could lead to remote code execution.
A total of five security defects were patched in the software’s implementation of the DCERPC protocol, including four that VMware flags as ‘important’, with a CVSS score of 8.1.
Two of these issues, tracked as CVE-2023-20892 (heap buffer overflow due to uninitialized memory) and CVE-2023-20893 (use-after-free) could lead to code execution, according to VMware’s advisory.
“A malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server,” VMware notes for both.
Next in line is CVE-2023-20894, a remotely exploitable out-of-bounds write bug that can be triggered via specially crafted packets to cause memory corruption.
The fourth vulnerability, CVE-2023-20895, is a memory corruption flaw that can be exploited over the network to bypass authentication.
VMware’s updates also address a important-severity out-of-bounds read vulnerability that a malicious actor can exploit remotely to cause a denial-of-service (DoS) condition on services such as vmcad, vmdird, and vmafdd.
Patches for all flaws were included in vCenter Server and Cloud Foundation versions 8.0 U1b and 7.0 U3m. VMware also released Async patches for VCF customers.
vCenter Server is an advanced server management software for virtual infrastructure delivery across the hybrid cloud. The appliance is included in vSphere and Cloud Foundation products.
VMware recommends that all customers update to a patched version of the impacted products, noting that there is no workaround for any of these vulnerabilities. The company says it is not aware of any of these flaws being exploited in the wild.