Cisco and VMware Address Critical Vulnerabilities
VMware has released security update to fix three vulnerabilities in Operation Aria for Networks that could result in information disclosure and remote code execution.
The most critical of the three vulnerabilities is the command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) which can allow a malicious actor with network access to achieve remote code execution.
Also being patched by VMware is another deserialization vulnerability (CVE-2023-20888) which is rated 9.1 out of a maximum of 10 on the CVSS rating system.
“A malicious actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform a deserialization attack resulting in remote code execution,” the company said in an advisory.
The third security flaw is a high-severity information disclosure bug (CVE-2023-20889CVSS score: 8.8) which can allow actors with network access to perform command injection attacks and gain access to sensitive data.
Three flaws that impact VMware Aria Operations Networks version 6.x are repaired in the following versions: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. Neither solution reduces the problem.
Warning comes as Cisco sent fix for a critical flaw in the Expressway Series and TelePresence Video Communication Server (VCS) that could “allow an authenticated attacker with Administrator-level read-only credentials to elevate their privileges to Administrator with read-write credentials on affected systems.”
The privilege escalation flaw (CVE-2023-20105, CVSS score: 9.6), it says, stems from the incorrect handling of password change requests, allowing an attacker to change the password of any user on the system, including read-write administrative users. , then impersonate that user.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
A second high-level vulnerability in the same product (CVE-2023-20192, CVSS score: 8.4) could allow an authenticated local attacker to execute commands and modify system configuration parameters.
As a workaround for CVE-2023-20192, Cisco recommends that customers disable CLI access for read-only users. These two issues have been resolved in VCS versions 14.2.1 and 14.3.0 respectively.
While there is no evidence that the vulnerability has been abused in the wild, it is strongly recommended to patch the vulnerability as soon as possible to mitigate potential risks.
Advice also follows invention from three security bugs in RenderDoc (CVE-2023-33863, CVE-2023-33864And CVE-2023-33865), an open-source graphical debugger, which allows advisors to have elevated privileges and execute arbitrary code.
