Cisco and VMware Adress Critical Security Vulnerabilities in Recent Update
In order to address three security weaknesses in Aria Operations for Networks that could lead to information exposure and remote code execution, VMware has provided security patches.
The most serious of the three flaws is a command injection flaw identified as CVE-2023-20887 (CVSS score: 9.8) that could enable remote code execution for a hostile actor with network access.
A malicious actor with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform a deserialization attack resulting in remote code execution.
VMware said in a advisory
A command injection attack could be used by an actor with network access to perform a high-severity information disclosure bug (CVE-2023-20889, CVSS score: 8.8) and get access to sensitive data.
The following releases have addressed the three issues that affect VMware Aria Operations Networks version 6. x: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There are no solutions that lessen the problems.
The warning was issued at the same time that Cisco released patches for a critical flaw in its Motorway Series and TelePresence Video Communication Server (VCS) that “allows an authenticated attacker with Administrator-level read-only credentials to elevate their privileges to Administrator with read-write credentials on an affected system.”
Our Readers ALSO READ
It was claimed that the privilege escalation problem (CVE-2023-20105, CVSS score: 9.6) results from improper handling of password change requests and permits an attacker to change any user’s password on the system, even an administrator read-write user, and then use that password to pretend to be that user.
The same product contains a second high-severity vulnerability that might allow an authorized local attacker to change system configuration settings and execute commands (CVE-2023-20192, CVSS score: 8.4).
Cisco suggests that clients disable CLI access for read-only users as a fix for CVE-2023-20192. Both problems have been fixed in the respective VCS versions 14.2.1 and 14.3.0.
Although there is no proof that any of the aforementioned vulnerabilities have been exploited in the wild, it is strongly urged to patch them as soon as possible to reduce any risks.
The advisories also come in response to the discovery of three security flaws in the open-source graphics debugger RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865) that might allow an advisory to obtain elevated privileges and run arbitrary code.