CVE-2023-34048

Description

vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.

Add Assessment

ccondon-r7 (282)

January 19, 2024 10:39am UTC (10 months ago)•

Ratings

Attacker Value

Very High

CISA KEV Listed Common in enterprise Gives privileged access Observed in state-sponsored attacks

Technical Analysis

Critical out-of-bounds write vuln in vCenter Server and Cloud Foundation. While we haven’t looked at this in-depth, VMware’s advisory indicates that it’s been exploited in the wild, and they took the unusual step of patching several end-of-life versions of vCenter Server:

While VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.

The vuln requires network access to exploit, for whatever that’s worth at this point in threat-land. Typical skepticism on ease/reliability of exploitation applies given that this is a memory corruption vuln, but with that said, vCenter is a high-value target for skilled and motivated threat actors, including ransomware groups. vCenter Server customers should heed the FAQ advice and patch on an emergency basis.

Edit: Mandiant has published technical information revealing that this vuln has apparently been exploited since 2021 by UNC3886, a China-nexus threat actor. So it is 0day after all.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

vmware

Products

vcenter server,
vcenter server 7.0,
vcenter server 8.0

Exploited in the Wild

Reported by:

ccondon-r7 indicated source as Vendor Advisory (https://www.vmware.com/security/advisories/VMSA-2023-0023.html)

Reported: January 19, 2024 10:13am UTC (10 months ago) • Edited 9 months ago

cbeek-r7 indicated source as Government or Industry Alert (https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021)

Reported: January 22, 2024 10:01am UTC (9 months ago)

inokii indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2024/01/22/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: January 22, 2024 4:56pm UTC (9 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2024/01/22/cisa-adds-one-known-exploited-vulnerability-catalog)

Reported: November 08, 2024 8:20am UTC (1 week ago)

References

Canonical

CVE-2023-34048 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34048)

Miscellaneous

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

Rapid7

Very High

Very High

Unknown

None

None

Network

CVE-2023-34048

Description