Executive summary

VMware have released a security advisory addressing a vulnerability which could allow an attacker to perform to perform remote code execution via VMware vCenter Server. Patches have been released, even for previously end-of-life versions of VMware vCenter Server due to the severity of the vulnerability. VMware have also addressed a vulnerability in which information can be partially disclosed.

What’s the risk to me or my business?

Organisations with a vulnerable server are leaving themselves at risk of allowing an attacker to perform remote code execution, impacting the confidentiality, integrity and availability of data.

The following versions are vulnerable, with patches detailed in VMware’s response matrix: 8.0, 7.0, 5.x, 4.x. Additionally, VMware have noted that whilst VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1.

What can I do?

Black Arrow recommends applying the patches for the critical vulnerability immediately due to the severity of the vulnerability; there is no workaround available. Fixes for the other vulnerability are addressed in the patches for the critical vulnerability. Further information can be found in the security advisory by VMware.

Technical Summary

CVE-2023-34048- A critical out-of-bounds write vulnerability which can lead to remote code execution.

CVE-2023-34056- a vulnerability which can allow threat actors without administrator privileges to access sensitive data.

Need help understanding your gaps, or just want some advice? Get in touch with us.

Further information can be found here: https://www.vmware.com/security/advisories/VMSA-2023-0023.html

#threatadvisory #threatintelligence #cybersecurity

Black Arrow Cyber Threat Alert - Thursday 23 September 2021 - Nagios Management Software Vulnerabilities and VMWare vCenter Bug Allows for Remote Code Execution

1. Nagios Management Software Vulnerabilities Disclosed, Could be Chained to Perform Remote Code Execution

1.1 Executive Board Summary

What is Nagios?

Nagios is a market leading IT monitoring software, used by such prominent businesses as Air BnB and Paypal. Nagios provides a centralised platform to allow both businesses and IT support providers to keep tabs on systems and services remotely.

What’s the risk to my business?

Given the attractive nature of Nagios to an attacker – a central resource with connections to potentially everything in the network – it could be severe. If you or your managed IT provider use Nagios, attackers may be able to remotely conduct attacks without requiring authentication – effectively bypassing your security.

What can I do?

Contact your IT department or provider to determine whether your systems are monitored by Nagios. A patch has been issued that your technical teams can implement straight away. See our technical summary for more details.

1.2 Technical Summary for Network Defenders

11 new security vulnerabilities have been disclosed for the Nagios network management platform. Of note is the potential to “chain” these attacks together to perform Remote Code Execution (RCE), theoretically allowing for pre-authenticated access and privilege escalation at the highest level.

Who is affected?

Anyone using Nagios XI, Nagios XI Switch Wizard, Nagios XI Docker Wizard or Nagios XI Watchguard.

What can I do?

These issues have been designated and fixed in Nagios XI 5.8.5 and above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI Watchguard 1.4.8 or above.

IT teams are advised to perform the necessary patches as soon as is practicable.

What’s the risk?

Consumers may be aware of the harm caused during the Solarwinds and Kaseya round of vulnerabilities, with the latter causing major disruption as a potential supply chain attack.

Solutions such as Nagios and Kaseya, while they undoubtedly provide IT teams with an efficient and broad toolset to support their network stack, offer attackers near unprecedented access if successfully breached. Given the wide scope network integration these toolkits the risk remains high for vulnerabilities in this software sector.

2. Black Arrow Threat Alert: Critical VMWare vCenter Bug Allows for Remote Code Execution by Anyone on the Network

VMWare – a server hosting platform widely used in the Island by businesses and IT providers alike – have disclosed a bug in their vCenter management service dubbed as requiring attention “right now”.

2.2 Executive Board Summary

What is VMWare vCenter?

vCenter is a major component of the VMWare virtualisation ecosystem, used in managing virtual machines and servers. Nearly all businesses of reasonable size will utilise virtualisation to some extent – the act of running multiple servers on a single physical box. If you use a computer on a business network, you’ve probably got VMWare.

What’s the risk to my business?

If you are one of the many local firms using VMWare, high. VMWare have designated this bug as critical, as it allows for malicious files to be uploaded remotely – the most dangerous type of vulnerability. Attackers could craft these files to gain access to sensitive data, or as a springboard for another type of attack like ransomware.

What can I do?

Contact your IT department or IT provider to determine whether your systems are vulnerable. A patch has already been issued, so all up-to-date services will be protected. See our technical summary for more details.

2.3 Technical Summary For Network Defenders

A new vulnerability has been discovered in vCenter server. The bug allows for anyone with network access to vCenter via port 443 – locally or via remote connection – to arbitrarily abuse the file upload service to insert malicious content. The bug falls under the “Remote Code Execution” category for vulnerabilities and is deemed highly critical as such.

What versions are affected?

VMWare advise that the bug impacts all current releases of vCenter Server – 6.5, 6.7 and 7.0.

What can I do?

Perform an initial check to determine if you are running on an affected version of vCenter Server. VMWare notes that organisations that have recently updated to version 7.0 Update 2c may not be impacted – though it is still recommended to run patches.

VMWare recommend immediate patching on any affected systems, where at all possible. A workaround has also been released, involving modification to a text file on the affected server and restarting services, though it should be noted this is only a temporary fix.

What’s the risk?

Industry resources report that threat actors have already begun scanning for this vulnerability since its release. In equal measure, the vulnerability allows for anyone with local network access to the affected server – i.e. staff member or third party contractor – to carry out the attack.

Given the severity and potential benefit to attackers, activity is expected to increase over the following weeks.