VMware has issued security updates addressing three critical vulnerabilities within its Aria Operations for Networks platform, vulnerabilities that pose significant threats of information disclosure and remote code execution risks.
The most concerning of these vulnerabilities is a command injection flaw identified as CVE-2023-20887, which carries a CVSS score of 9.8. This vulnerability allows malicious actors with network access to execute arbitrary code remotely. In simple terms, it enables an attacker to take control of affected systems with legitimate network access.
A secondary vulnerability, labeled as CVE-2023-20888, pertains to deserialization issues that can also grant remote code execution capabilities to attackers with ‘member’ role access. This flaw has a CVSS score of 9.1, highlighting its severity. VMware’s advisory notes that the vulnerability allows an attacker to exploit the system if they possess valid credentials.
The third vulnerability, assigned the identifier CVE-2023-20889 with a CVSS score of 8.8, is recognized as a high-severity information disclosure bug. It potentially allows actors with network access to perform command injection attacks, leading to the leakage of sensitive data.
These vulnerabilities affect multiple versions of VMware Aria Operations, specifically those classified under version 6.x. Corrective measures have been put in place within versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. VMware has not provided any workaround options for businesses still reliant on the affected versions.
In related news, Cisco has also released patches for a significant bug impacting its Expressway Series and TelePresence Video Communication Server (VCS). The critical flaw, referenced as CVE-2023-20105 with a CVSS score of 9.6, allows authenticated attackers to escalate their privileges from read-only to administrative levels, potentially enabling them to alter user passwords, including those with administrative rights.
Another high-severity vulnerability identified as CVE-2023-20192 (CVSS score: 8.4) permits local attackers to execute commands and alter system configuration. Cisco recommends that customers disable command-line interface access for users with read-only permissions as an interim measure.
There is currently no indication that these vulnerabilities have been exploited in real-world scenarios; however, swift implementation of the patches is strongly advised to mitigate potential risks. The advisories are particularly pertinent in light of additional reports revealing three security vulnerabilities within the open-source graphics debugger RenderDoc, which could allow arbitrary code execution—further exemplifying the need for businesses to remain vigilant.