Alert essentials:In October 2023, VMware released a version upgrade that remediated an out-of-bounds write vulnerability in VMware vCenter Server and VMware Cloud Foundation. Chinese espionage group UNC3886 has been exploiting this flaw since 2021. Remediation should be assigned the highest priority. 

Email Team


Detailed threat description: A highly advanced Chinese espionage group that previously targeted VMware products has returned to the spotlight. Security firm Mandiant reports UNC3886 has been exploiting CVE-2023-34048 since late 2021. Upgrades were released in October 2023 for the out-of-bounds flaw, yet many devices remain vulnerable and are in danger of compromise. The vulnerability allows skilled threat actors access to vCenter Server through a remote code execution, and it is being exploited in the wild.

Continuing a review of an exploit attack path from a zero-day last summer, the Mandiant research team found log entries that showed the “vmdird” service crashing minutes before attackers deployed backdoors to vCenter systems. The Mandiant researchers said an analysis by both them and VMware found that the process crashing aligned with the exploitation of CVE-2023-34048.
Initially reported by a Trend Micro researcher, this vulnerability can be exploited remotely in low-complexity attacks that do not require authentication or user interaction. Because of the critical nature of this weakness, VMware also issued security patches for multiple end-of-life products without active support.

There are no workarounds available, and vulnerable systems should be updated immediately!

Impacts on healthcare organizations: VMware products are virtual machines designed to run on a single physical network server. VMware is popular and found in most modern networks as it provides an alternative to purchasing and deploying many expensive servers in an environment. However, the downside of using VMware products is that many applications can be compromised and taken offline when hackers successfully access a single vCenter Server.

Affected products / versions:

  • VMware vCenter Server- all supported versions
  • VMware Cloud Foundation – all supported versions
  • While VMware does not mention end-of-life products in VMware Security Advisories, due to the critical severity of this vulnerability and lack of workaround, VMware has made a patch generally available for vCenter Server 6.7U3, 6.5U3, and VCF 3.x. For the same reasons, VMware has made additional patches available for vCenter Server 8.0U1
  • The specific network ports linked to potential exploitation in attacks targeting this vulnerability are 2012/TCP, 2014/TCP, and 2020/TCP

CVEs

  • CVE-2023-34048


Recommendations

Engineering recommendations:

  • Review KB95536 and implement the corrective action before installing any updates
  • Review KB95536: LCM service crashing on SDDC Manager (95536) (vmware.com)
  • Apply individual product updates to cloud foundation environments before upgrading the cloud foundation environment with the Async Patch Tool (APT)
  • Strictly control network perimeter access to vSphere management components

Leadership / program recommendations:

  • VMware emphasized the absence of workarounds to mitigate this vulnerability, underscoring the importance of prompt action

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.


References: