VMware has released security updates to correct a trio of flaws in Aria Functions for Networks that could consequence in information and facts disclosure and distant code execution.
The most critical of the a few vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that could allow a destructive actor with network entry to reach distant code execution.
Also patched by VMware is a different deserialization vulnerability (CVE-2023-20888) that’s rated 9.1 out of a utmost of 10 on the CVSS scoring method.
“A destructive actor with network accessibility to VMware Aria Operations for Networks and valid ‘member’ part qualifications may perhaps be able to perform a deserialization attack resulting in remote code execution,” the enterprise stated in an advisory.
The 3rd security defect is a superior-severity facts disclosure bug (CVE-2023-20889, CVSS score: 8.8) that could allow an actor with network entry to perform a command injection attack and acquire obtain to delicate information.
The three shortcomings, which impact VMware Aria Operations Networks model 6.x, have been remediated in the subsequent variations: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There are no workarounds that mitigate the issues.
The notify arrives as Cisco shipped fixes for a critical flaw in its Expressway Sequence and TelePresence Video clip Interaction Server (VCS) that could “allow for an authenticated attacker with Administrator-stage browse-only credentials to elevate their privileges to Administrator with read through-generate qualifications on an affected technique.”
The privilege escalation flaw (CVE-2023-20105, CVSS score: 9.6), it said, stems from incorrect managing of password transform requests, thereby letting an attacker to alter the passwords of any consumer on the program, like an administrative read through-produce consumer, and then impersonate that user.
Forthcoming WEBINAR🔐 Mastering API Security: Knowing Your Correct Attack Area
Explore the untapped vulnerabilities in your API ecosystem and just take proactive methods towards ironclad security. Be a part of our insightful webinar!
Sign up for the Session.wn-button,.wn-label,.wn-label:right afterdisplay:inline-block.check out_two_webinarmargin:20px 10px 30px 0background:#f9fbffcolor:#160755padding: 5%border:2px solid #d9deffborder-radius:10pxtext-align:leftbox-shadow:10px 10px #e2ebff-webkit-border-leading-remaining-radius:25px-moz-border-radius-topleft:25px-webkit-border-base-appropriate-radius:25px-moz-border-radius-bottomright:25px.wn-labelfont-sizing:13pxmargin:20px 0font-body weight:600letter-spacing:.6pxcolor:#596cec.wn-label:immediately afterwidth:50pxheight:6pxcontent:”border-top rated:2px stable #d9deffmargin: 8px.wn-titlefont-measurement:21pxpadding:10px 0font-bodyweight:900textual content-align:leftline-peak:33px.wn-descriptiontext-align:leftfont-sizing:15.6pxline-top:26pxmargin:5px !importantcolor:#4e6a8d.wn-buttonpadding:6px 12pxborder-radius:5pxbackground-shade:#4469f5font-sizing:15pxcolor:#fff!importantborder:0line-height:inherittext-decoration:none!importantcursor:pointermargin:15px 20pxfloat:leftfont-fat:500letter-spacing:.2px
A second high-severity vulnerability in the very same merchandise (CVE-2023-20192, CVSS score: 8.4) could allow an authenticated, area attacker to execute commands and modify procedure configuration parameters.
As a workaround for CVE-2023-20192, Cisco is recommending that prospects disable CLI entry for study-only customers. Both of those issues have been dealt with in VCS variations 14.2.1 and 14.3., respectively.
When there is no evidence that any of the aforementioned flaws have been abused in the wild, it is really very suggested to patch the vulnerabilities as quickly as achievable to mitigate likely hazards.
The advisories also adhere to the discovery of a few security bugs in RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865), an open-supply graphics debugger, that could enable an advisory to obtain elevated privileges and execute arbitrary code.
Observed this posting exciting? Observe us on Twitter and LinkedIn to read through much more exceptional material we publish.
Some parts of this article are sourced from:
thehackernews.com