A critical vulnerability in the VMware vCenter Server management software platform has been actively exploited months after the flaw was initially disclosed and security patches were released.
The critical vCentre Server security flaw allows attackers to leverage remote code execution (RCE) attacks on exposed servers.
Tracked as CVE-2023-34048, the flaw involves an out-of-bounds write vulnerability in the vCentre Server system’s implementation of the DCE/RPC protocol, and was given the maximum CVSS base score of 9.8 in the National Vulnerability Database (NVD).
vCentre Server is VMware’s advanced server management software that provides customers with a centralized platform where they can manage virtual machines, ESXi hosts, and other VMware products.
Citrix confirms two new NetScaler vulnerabilities as firms urged to patch immediatelySneak-and-peek Midnight Blizzard attack highlights “worrying flaws” in Microsoft security processesGPU memory vulnerability could allow hackers to access LLM responses - and Apple, Qualcomm, and AMD products were all at risk
VMware initially disclosed the vulnerability in a security advisory issued in October 2023, stating there was no evidence the RCE flaw was currently being exploited.
The Broadcom-owned cloud computing specialist released a security patch alongside the advisory encouraging customers to patch their servers as soon as possible, with the latest vCentre 9.0U2 available now.
The severity of the vulnerability was underscored by VMware’s decisions to release patches for versions of its products that have reached their end-of-life (EoL) status. These security patches are available via VMware’s vCentre Server update system.
In an update made to its initial security advisory issued in October 2023, VMware confirmed the vulnerability was being actively exploited by threat actors in the wild.
VMware vCenter Server: A Chinese-linked group has been exploiting since late 2021
Research from Google’s cyber security subsidiary Mandiant revealed a Chinese espionage group called UNC3886 has been exploiting CVE-2023-34048 since late 2021.
UNC3886 have been previously recorded targeting VMWare products, with Mandiant revealing a novel malware system affecting ESXi hosts, vCentre servers, and Windows virtual machines.
Mandiant’s report notes the similarity in the group's attacks, targeting systems lacking in endpoint detection and response solutions.
The attack paths usually focus “on technologies that are unable to have EDR deployed to them”.
“UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities,” the report added.
Meet rising demands on your data center
DOWNLOAD NOW
Researchers at Mandiant observed a similarity between affected vCenter systems where a certain “vmdird” service crashed just before the attackers deployed backdoors onto the server.
Both Manidant and VMware’s Product Security team were able to demonstrate that this crash process was linked to the exploitation of CVE-2023-34048.
These crashes were observed across cyber incidents attributed to the UNC3886 group between late 2021 and early 2022, providing the threat actors with an 18-month window in which to exploit the vulnerability.
As well as applying the latest security patches, VMware warned customers to tighten their network perimeter access control, acknowledging there are no workarounds that remove the vulnerability entirely.
“VMware strongly recommends strict network perimeter access control to all management components and interfaces in vSphere and related components, such as storage and network components, as part of an overall effective security posture.”
