VMware has released security updates that fix three flaws in Aria Operations for Networks that could lead to information disclosure and remote code execution.
The most severe of the three vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that allows malicious attackers to access the network and execute remote code. There is a possibility.
Another deserialization vulnerability patched by VMware (CVE-2023-20888) is rated 9.1 out of 10 on the CVSS scoring system.
“A malicious attacker with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials may be able to perform remote code execution deserialization attacks,” the company advises. says in.
The third security flaw is a high-severity information disclosure bug (CVE-2023-20889, CVSS score: 8.8) that allows an attacker with network access to perform command injection attacks and gain access to sensitive data. There is a possibility.
Three defects affecting VMware Aria Operations Networks version 6.x have been fixed in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There is no workaround to mitigate this issue.
This alert is issued following Cisco shipping a fix for a critical flaw in the Expressway Series and TelePresence Video Communication Server (VCS). This flaw “could allow an authenticated attacker with admin-level read-only credentials to elevate privileges to an administrator with read/write credentials” on affected systems. “
The privilege escalation flaw (CVE-2023-20105, CVSS score: 9.6) is due to improper handling of password change requests, allowing an attacker to gain access to any user’s password (administrative read/write) on the system. ) can be changed. Become a user and impersonate that user.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
A second high-severity vulnerability (CVE-2023-20192, CVSS score: 8.4) in the same product could allow an authenticated, local attacker to execute commands and modify system configuration parameters .
As a workaround for CVE-2023-20192, Cisco recommends disabling CLI access for read-only users. Both issues are resolved in VCS versions 14.2.1 and 14.3.0 respectively.
Although there is no evidence that the aforementioned flaw has been exploited in the wild, we strongly recommend patching the vulnerability as soon as possible to mitigate any potential risk.
This advisory also follows the discovery of three security bugs (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865) in RenderDoc, an open-source graphics debugger. may gain elevated privileges and execute arbitrary code.
