Recently, Cisco and VMware disclosed critical security vulnerabilities in their software that could potentially be exploited by adversaries, leading to unauthorized code execution on targeted systems.
At the forefront of these vulnerabilities is a critical command injection flaw identified in Cisco Industrial Network Director, tracked as CVE-2023-20036, which has an alarming CVSS score of 9.9. This vulnerability exists within the web user interface and exposes systems during device pack uploads due to inadequate input validation.
Cisco highlighted that a successful exploit could enable attackers to execute arbitrary commands with NT AUTHORITY\SYSTEM privileges on the affected devices’ underlying operating systems. The networking giant announced these critical updates in an advisory dated April 19, 2023.
Furthermore, Cisco addressed a moderate-severity file permissions vulnerability classified as CVE-2023-20039 (CVSS score: 5.5). This flaw could be leveraged by an authenticated local attacker to access sensitive data.
Cisco has made patches available in version 1.11.3, attributing the discovery of these issues to an external researcher whose contributions underscore the importance of collaborative security efforts.
The company also remedied another serious vulnerability affecting the external authentication component of its Modeling Labs network simulation platform, tracked as CVE-2023-20154 with a CVSS score of 9.1. This vulnerability could allow unauthenticated attackers remote access to the web interface with administrative privileges.
Cisco noted that exploitation would require valid user credentials stored on an external authentication server that responds to search queries. While workaround solutions exist, the company advises users to verify their effectiveness in their specific environments prior to deployment. This vulnerability has been mitigated with the release of version 2.5.1.
VMware Addresses Critical Security Flaw in Aria Operations for Logs
On April 20, 2023, VMware released an advisory regarding a critical deserialization vulnerability, CVE-2023-20864, with a CVSS score of 9.8, affecting multiple versions of Aria Operations for Logs. Attackers with network access may exploit this flaw to execute arbitrary code with root privileges.
In addition to addressing this critical issue, VMware’s update for version 8.12 also resolves a high-severity command injection vulnerability, CVE-2023-20865 (CVSS score: 7.2), which could allow attackers with administrative access to execute commands as root.
VMware emphasized the urgent need for immediate patching to mitigate CVE-2023-20864, indicating that only version 8.10.2 is vulnerable. This announcement follows the company’s earlier mitigation of two critical vulnerabilities in the same product, which posed risks of remote code execution.
As cyber threats become increasingly prevalent, particularly targeting Cisco and VMware infrastructures, it is crucial for organizations to prioritize the implementation of these updates to protect against potential exploitation. The vulnerabilities highlighted are indicative of adversaries employing tactics such as initial access and privilege escalation, as recognized in the MITRE ATT&CK framework. Organizations are encouraged to maintain awareness of these vulnerabilities and take prompt action to safeguard their systems.