VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could outcome in facts disclosure and distant code execution.
The most critical of the a few vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that could let a malicious actor with network entry to realize distant code execution.
Also patched by VMware is an additional deserialization vulnerability (CVE-2023-20888) that is rated 9.1 out of a greatest of 10 on the CVSS scoring system.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“A destructive actor with network accessibility to VMware Aria Functions for Networks and legitimate ‘member’ part qualifications may be able to complete a deserialization attack ensuing in remote code execution,” the organization mentioned in an advisory.
The 3rd security defect is a high-severity details disclosure bug (CVE-2023-20889, CVSS score: 8.8) that could permit an actor with network access to complete a command injection attack and get hold of entry to delicate information.
The three shortcomings, which impact VMware Aria Functions Networks model 6.x, have been remediated in the following versions: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There are no workarounds that mitigate the issues.
The inform arrives as Cisco transported fixes for a critical flaw in its Expressway Collection and TelePresence Online video Interaction Server (VCS) that could “enable an authenticated attacker with Administrator-degree go through-only qualifications to elevate their privileges to Administrator with examine-produce credentials on an influenced procedure.”
The privilege escalation flaw (CVE-2023-20105, CVSS score: 9.6), it stated, stems from incorrect managing of password transform requests, thus enabling an attacker to change the passwords of any person on the process, including an administrative read through-publish consumer, and then impersonate that consumer.
Impending WEBINAR🔐 Mastering API Security: Understanding Your Legitimate Attack Surface
Explore the untapped vulnerabilities in your API ecosystem and just take proactive measures toward ironclad security. Sign up for our insightful webinar!
Be part of the Session.wn-button,.wn-label,.wn-label:soon aftershow:inline-block.verify_two_webinarmargin:20px 10px 30px 0background:#f9fbffcolor:#160755padding: 5%border:2px solid #d9deffborder-radius:10pxtext-align:leftbox-shadow:10px 10px #e2ebff-webkit-border-prime-still left-radius:25px-moz-border-radius-topleft:25px-webkit-border-base-appropriate-radius:25px-moz-border-radius-bottomright:25px.wn-labelfont-sizing:13pxmargin:20px 0font-body weight:600letter-spacing:.6pxcolor:#596cec.wn-label:afterwidth:50pxheight:6pxcontent:”border-leading:2px solid #d9deffmargin: 8px.wn-titlefont-measurement:21pxpadding:10px 0font-bodyweight:900textual content-align:leftline-peak:33px.wn-descriptiontext-align:leftfont-size:15.6pxline-height:26pxmargin:5px !importantcolor:#4e6a8d.wn-buttonpadding:6px 12pxborder-radius:5pxbackground-colour:#4469f5font-dimension:15pxcolor:#fff!importantborder:0line-height:inherittext-decoration:none!importantcursor:pointermargin:15px 20pxfloat:leftfont-excess weight:500letter-spacing:.2px
A 2nd superior-severity vulnerability in the exact products (CVE-2023-20192, CVSS rating: 8.4) could allow an authenticated, nearby attacker to execute instructions and modify method configuration parameters.
As a workaround for CVE-2023-20192, Cisco is recommending that customers disable CLI accessibility for go through-only consumers. Both issues have been resolved in VCS variations 14.2.1 and 14.3., respectively.
Although there is no evidence that any of the aforementioned flaws have been abused in the wild, it can be hugely encouraged to patch the vulnerabilities as before long as possible to mitigate potential hazards.
The advisories also comply with the discovery of a few security bugs in RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865), an open-resource graphics debugger, that could allow for an advisory to acquire elevated privileges and execute arbitrary code.
Uncovered this short article exciting? Adhere to us on Twitter and LinkedIn to browse much more distinctive written content we put up.
Some parts of this article are sourced from:
thehackernews.com