Cisco and VMware Release Security Updates to Patch Critical Flaws in Their Products

April 21, 2023Ravie LakshmananSoftware Update / Network Security

Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems.

The most severe vulnerability is a command injection flaw at Cisco’s Director of Industrial Networks (CVE-2023-20036, CVSS score: 9.9), which resides in a web UI component and appears as a result of improper input validation when upload Device Package.

“A successful exploit could allow an attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the affected device’s underlying operating system,” Cisco said in an advisory released on April 19, 2023.

The Networking Appliance major also resolved a moderate severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that could be abused by an authenticated local attacker to view sensitive information.

Patches are available at version 1.11.3with Cisco praising an unnamed “external” researcher for reporting on the two issues.

Also fixed by Cisco is another critical flaw in the external authentication mechanism Modeling Laboratory network simulation platform. Tracked as CVE-2023-20154 (CVSS score: 9.1), the vulnerability could allow unauthenticated remote attackers to access a web interface with administrative privileges.

“To exploit this vulnerability, attackers need valid user credentials stored on the associated external authentication server,” the company said. noted.

“If the LDAP server is configured in such a way that it will reply to search requests with a non-empty array of entries (replies containing search result reference entries), this authentication bypass vulnerability can be exploited.”

While there are workarounds that plug security holes, Cisco warns customers to test the effectiveness of those fixes in their own environment before administering them. The flaws have already been patched with release version 2.5.1.

VMware shipped an update for Aria Operations for Logs

VMware, in an advisory released on April 20, 2023, warns about a critical deserialization flaw affecting some versions of Operation Aria for Log (CVE-2023-20864, ​​CVSS score: 9.8).

“An unauthenticated malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root,” virtualization service provider said.

VMware Aria Operations for Logs 8.12 fixes this vulnerability along with a high severity command injection flaw (CVE-2023-20865, CVSS score: 7.2) that allowed an attacker with admin privileges to execute arbitrary commands as root.

“CVE-2023-20864 is a critical issue and must be patched urgently,” the company said said. “It should be underlined that only version 8.10.2 is affected by this vulnerability.”

The warning comes nearly three months after VMware listed two critical issues in the same product (CVE-2022-31704 and CVE-2022-31706, CVSS score: 9.8) that could result in remote code execution.

With Cisco and VMware equipment becoming tempting targets for threat actors, it is recommended that users move quickly to apply updates to mitigate potential threats.