Urgent Security Updates: Cisco and VMware Address Critical Vulnerabilities

VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could outcome in facts disclosure and distant code execution.

The most critical of the a few vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that could let a malicious actor with network entry to realize distant code execution.

Also patched by VMware is an additional deserialization vulnerability (CVE-2023-20888) that is rated 9.1 out of a greatest of 10 on the CVSS scoring system.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

“A destructive actor with network accessibility to VMware Aria Functions for Networks and legitimate ‘member’ part qualifications may be able to complete a deserialization attack ensuing in remote code execution,” the organization mentioned in an advisory.

The 3rd security defect is a high-severity details disclosure bug (CVE-2023-20889, CVSS score: 8.8) that could permit an actor with network access to complete a command injection attack and get hold of entry to delicate information.

The three shortcomings, which impact VMware Aria Functions Networks model 6.x, have been remediated in the following versions: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There are no workarounds that mitigate the issues.

The inform arrives as Cisco transported fixes for a critical flaw in its Expressway Collection and TelePresence Online video Interaction Server (VCS) that could “enable an authenticated attacker with Administrator-degree go through-only qualifications to elevate their privileges to Administrator with examine-produce credentials on an influenced procedure.”

The privilege escalation flaw (CVE-2023-20105, CVSS score: 9.6), it stated, stems from incorrect managing of password transform requests, thus enabling an attacker to change the passwords of any person on the process, including an administrative read through-publish consumer, and then impersonate that consumer.

Impending WEBINAR🔐 Mastering API Security: Understanding Your Legitimate Attack Surface

Explore the untapped vulnerabilities in your API ecosystem and just take proactive measures toward ironclad security. Sign up for our insightful webinar!

Be part of the Session.wn-button,.wn-label,.wn-label:soon aftershow:inline-block.verify_two_webinarmargin:20px 10px 30px 0background:#f9fbffcolor:#160755padding: 5%border:2px solid #d9deffborder-radius:10pxtext-align:leftbox-shadow:10px 10px #e2ebff-webkit-border-prime-still left-radius:25px-moz-border-radius-topleft:25px-webkit-border-base-appropriate-radius:25px-moz-border-radius-bottomright:25px.wn-labelfont-sizing:13pxmargin:20px 0font-body weight:600letter-spacing:.6pxcolor:#596cec.wn-label:afterwidth:50pxheight:6pxcontent:”border-leading:2px solid #d9deffmargin: 8px.wn-titlefont-measurement:21pxpadding:10px 0font-bodyweight:900textual content-align:leftline-peak:33px.wn-descriptiontext-align:leftfont-size:15.6pxline-height:26pxmargin:5px !importantcolor:#4e6a8d.wn-buttonpadding:6px 12pxborder-radius:5pxbackground-colour:#4469f5font-dimension:15pxcolor:#fff!importantborder:0line-height:inherittext-decoration:none!importantcursor:pointermargin:15px 20pxfloat:leftfont-excess weight:500letter-spacing:.2px

A 2nd superior-severity vulnerability in the exact products (CVE-2023-20192, CVSS rating: 8.4) could allow an authenticated, nearby attacker to execute instructions and modify method configuration parameters.

As a workaround for CVE-2023-20192, Cisco is recommending that customers disable CLI accessibility for go through-only consumers. Both issues have been resolved in VCS variations 14.2.1 and 14.3., respectively.

Although there is no evidence that any of the aforementioned flaws have been abused in the wild, it can be hugely encouraged to patch the vulnerabilities as before long as possible to mitigate potential hazards.

The advisories also comply with the discovery of a few security bugs in RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865), an open-resource graphics debugger, that could allow for an advisory to acquire elevated privileges and execute arbitrary code.

Uncovered this short article exciting? Adhere to us on Twitter  and LinkedIn to browse much more distinctive written content we put up.