Cisco and VMware Release Critical Security Updates

Reading Time: ( Word Count: )

June 8, 2023
Nextdoorsec-course

Cisco and VMware release critical security updates. VMware has recently released security patches to address three vulnerabilities in Aria Operations for Networks, which could lead to data disclosure and remote code execution.

The most critical vulnerability among the three is a command injection flaw known as CVE-2023-20887, with a CVSS score of 9.8. A malicious actor with network access could remotely execute arbitrary code by exploiting this vulnerability.

VMware has also fixed another deserialization vulnerability, CVE-2023-20888, which received a CVSS score of 9.1 out of 10 on the scoring system.

According to VMware’s advisory, an attacker with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials could perform a deserialization attack, resulting in remote code execution.

The third security issue is a high-severity information disclosure bug (CVE-2023-20889, CVSS score: 8.8). It allows an attacker with network access to perform a command injection attack and gain unauthorized access to sensitive data.

Also, Read: “Cybercriminals Leveraging CAPTCHA-Breaking Services with Human Solvers to Bypass Security Measures”

These three vulnerabilities affect version 6.x of VMware Aria Operations Networks. However, the company has addressed the issues in the following versions: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There aren’t any known solutions to these vulnerabilities, which is unfortunate.

Similarly, Cisco has released fixes for a critical flaw in its Expressway Series and TelePresence Video Communication Server (VCS). This vulnerability (CVE-2023-20105, CVSS score: 9.6) allows an authenticated attacker with read-only Administrator-level credentials to elevate their privileges to Administrator with read-write credentials.

An attacker might change the passwords of any user on the network, even an administrator read-write user, using an authority cascade weakness resulting from improper handling of password change requests and then assuming that user’s identity. 

Moreover, another high-severity vulnerability (CVE-2023-20192, CVSS score: 8.4) affects the same product. In this case, an authenticated local attacker can execute commands and modify system configuration parameters.

Cisco advises blocking Command Line Interface (CLI) permission for read-only individuals as an interim remedy for CVE-2023-20192. Cisco has addressed both issues in versions 14.2.1 and 14.3.0 of VCS.

While there is no evidence of anyone exploiting these vulnerabilities, we strongly recommend promptly applying the patches to minimize potential risks.

These advisories come after discovering three security flaws in RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865), an open-source graphics debugger. These vulnerabilities could allow attackers to gain elevated privileges and execute arbitrary code.

Saher

Saher

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Zero Tolerance: How to Stop Phishing Emails Once and For All?

Zero Tolerance: How to Stop Phishing Emails Once and For All?

In an age where email remains one of our primary modes of communication, the onslaught of spam emails and ...
Cisco Amplifies Cybersecurity Footprint with $28 Billion Splunk Acquisition

Cisco Amplifies Cybersecurity Footprint with $28 Billion Splunk Acquisition

On Thursday, Cisco made headlines by announcing its intent to buy Splunk, a renowned cybersecurity software ...
Revealing the Most Common Types of Phishing Attacks in 2023

Revealing the Most Common Types of Phishing Attacks in 2023

In the vast ocean of the internet, while most fish are friendly, there are some out to get you. They'll try to ...
GitHub Embraces Device-Linked Passkeys for a More Secure User Experience.

GitHub Embraces Device-Linked Passkeys for a More Secure User Experience.

GitHub has today announced the widespread availability of passkeys across its platform, offering an enhanced ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *