VMware reveals critical vCenter vuln that you may have patched already without knowing it
Takes rare step of issuing patches for end-of-life versions, as some staff report end-of-career letters
VMware has disclosed a critical vulnerability in its vCenter Server – and that it issued an update to fix it weeks ago, along with patches for unsupported versions of the software.
The soon-to-be-acquired-by-Broadcom virtualization giant on Wednesday delivered news that its implementation of the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol contains an out-of-bounds write vulnerability.
CVE-2023-34048, as the vuln is now known, scored a 9.8/10 CVSSv3 score, as it enables a malicious actor with network access to vCenter Server to trigger an out-of-bounds write – potentially leading to remote code execution.
Virtzilla hasn't seen anyone exploiting the flaw, but of course advises fixing it – fast.
Which is where things get a little odd. One way to address the situation is to adopt vCenter Server 8.0U2 – which was released on September 21. Yet an archived version of the release notes for 8.0U2 dated October 13 contains no mentions of security patches.
Nor does the version of the release notes visible today mention whether the document has been updated to address CVE-2023-34048.
We can't imagine VMware would require those who adopted vCenter 8.0U2 to update their servers a second time, so have asked for clarification on whether version 8.0U2 addressed the vuln on the day of release.
Unusually, VMware also released patches for versions of vCenter that have reached end of life. Versions 6.5, 6.7, and 7.0 can all find fixes.
Virtzilla revealed a second CVE, too. CVE-2023-34056 means "a malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data."
This one's rated a mere 4.3 and is covered in the patches that also address the critical vuln, which was found by Grigory Dorodnov of Trend Micro Zero Day Initiative.
Between the security notification that brought news of these flaws, and the release of updated desktop hypervisors, VMware is clearly going about business as usual ahead of its acquisition by Broadcom, due to complete on or by October 30. The Register has also hinted that announcements from European incarnation of the VMware Explore conference, starting November 6, are imminent.
But The Register has also encountered posts claiming letters offering employment at Broadcom have started to arrive in the US, with some VMware staffers complaining that – unlike their close colleagues – they've not received such a missive. ®
UPDATED: VMware told us this flaw was reported to it in a responsible manner, shortly before versions 8.0U2 and 7.0U3o were scheduled to release. "We were able to apply the fix before those releases shipped," a VMware spokesperson said. "With no viable workaround possible, we also created patches for earlier product releases, taking the necessary extra steps to ensure ease of upgrade for customers on older versions so they could patch quickly at the time of disclosure."