VMware has launched safety updates to repair a trio of flaws in Aria Operations for Networks that might lead to data disclosure and distant code execution.
Probably the most crucial of the three vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS rating: 9.8) that might enable a malicious actor with community entry to attain distant code execution.
“A malicious actor with community entry to VMware Aria Operations for Networks and legitimate ‘member’ function credentials might be able to carry out a deserialization assault leading to distant code execution,” the corporate stated in an advisory.
The third safety defect is a high-severity data disclosure bug (CVE-2023-20889, CVSS rating: 8.8) that might allow an actor with community entry to carry out a command injection assault and procure entry to delicate information.
The three shortcomings, which affect VMware Aria Operations Networks model 6.x, have been remediated within the following variations: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There are not any workarounds that mitigate the problems.
The alert comes as Cisco shipped fixes for a crucial flaw in its Expressway Sequence and TelePresence Video Communication Server (VCS) that might “enable an authenticated attacker with Administrator-level read-only credentials to raise their privileges to Administrator with read-write credentials on an affected system.”
The privilege escalation flaw (CVE-2023-20105, CVSS rating: 9.6), it stated, stems from incorrect dealing with of password change requests, thereby permitting an attacker to change the passwords of any consumer on the system, together with an administrative read-write consumer, after which impersonate that consumer.
? Mastering API Safety: Understanding Your True Assault Floor
Uncover the untapped vulnerabilities in your API ecosystem and take proactive steps in the direction of ironclad safety. Be part of our insightful webinar!
A second high-severity vulnerability in the identical product (CVE-2023-20192, CVSS rating: 8.4) may allow an authenticated, native attacker to execute instructions and modify system configuration parameters.
As a workaround for CVE-2023-20192, Cisco is recommending that prospects disable CLI entry for read-only customers. Each points have been addressed in VCS variations 14.2.1 and 14.3.0, respectively.
Whereas there isn’t a proof that any of the aforementioned flaws have been abused within the wild, it is extremely suggested to patch the vulnerabilities as quickly as attainable to mitigate potential dangers.
The advisories additionally observe the discovery of three safety bugs in RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865), an open-source graphics debugger, that might enable an advisory to achieve elevated privileges and execute arbitrary code.