What is VMSA-2023-0023?

Several security vulnerabilities have been identified in the DCE/RPC protocol used by vCenter Server. This protocol was originally designed for distributed computing scenarios and serves as a bridge for communication between different software systems and components.

‍

Due to the characteristics of the protocol, the CVE can be exploited remotely, requiring only network connectivity to vCenter Server. Currently, there is no known exploit, and it doesn't appear to be easy to create one. However, this situation could change quickly.

How  CVEs works

CVE-2023-34048 describes an out-of-bounds write vulnerability in vCenter Server's implementation of the DCERPC protocol. This vulnerability, rated Critical with a CVSSv3 score of 9.8, allows a malicious actor with network access to remotely execute arbitrary code on the host where vCenter Server is running. 

‍

There is no workaround for this CVE and the only mitigation is to patch vCenter. VMware deemed the vulnerability critical enough to release fixed versions even for products that are no longer officially supported. vCenter 6.5 U3v, 6.7 U3t and 8.0 U1d have been released to address the vulnerability for customers who can't or don't want to upgrade to a newer version.

‍

CVE-2023-34056 is a partial information disclosure vulnerability in vCenter Server. This vulnerability, rated Moderate with a CVSSv3 score of 4.3, could allow a malicious actor with non-administrative access to retrieve potentially unauthorized information from vCenter Server. The recommended resolution is to apply the updates listed in the remediation matrix. No workarounds or additional documentation are currently provided.

How to patch these vulnerabilities

The critical CVE-2023-34048 affects vCenter versions 6.5, 6.7, 7.0, and 8.0. There is no workaround for any of them and the only solution is to patch the vCenter. Versions 6.5 U3v, 6.7 U3t, 7.0 U3o, 8.0 U1d, and 8.0 U2 have been released to address this issue. The just released Runecast definition update 6.7.1.4 covers the VMSA. Please be sure to update the definitions in your Runecast appliance to ensure that your environments are scanned correctly.

‍

CVE-2023-34056 can be resolved by upgrading to vCenter 7.0 U3o or 8.0 U2.

‍

The original VMSA article is available here.

How Runecast protects against VMSA-2023-0023

Runecast helps you automate the security of your workloads

The realm of cybersecurity is dynamic, with ongoing emergence of new threats. Staying informed about the most recent threats enables organisations to maintain current and up to date defences. Ultimately, identification of threats and their remediation steps is not the only step, as knowledge is useless without action.

‍

Runecast users reduce the risk of falling victim to this kind of attack by leveraging:

‍

1. The most sophisticated and complete VMware vulnerability and security hardening assessment with our patented rules engine.
2. Prioritisation of vulnerabilities based on their severity levels and known exploited vulnerabilities information.
3. Fastest vulnerability and security standard release cycle thanks to the Runecast AI Knowledge Automation Platform.
4. Best time to value on the market, with 15-minute agentless deployment and results.
5. Unmatched secure deployment methods supporting air-gapped environments.
6. Automated remediation capabilities. 

‍

By using Runecast regularly and following its recommendations, you can:

‍

• Maintain a hardened configuration to reduce attack surface.
• Save time by automating remediation.
• Stay free of critical vulnerabilities with known exploits prioritisation.
• Greatly reduce the risk of any malware, including ransomware, from compromising your systems.

‍

Runecast is a powerful platform that can help you reduce the risk of falling victim to a VMware targeted ransomware attack. While there is no solution that can guarantee 100% prevention, following Runecast's vulnerability and security hardening recommendations will give you the best chance of avoiding a costly and damaging attack.