Cisco and VMware Release Critical Security Updates

Reading Time: ( Word Count: )

June 8, 2023
Nextdoorsec-course

Cisco and VMware release critical security updates. VMware has recently released security patches to address three vulnerabilities in Aria Operations for Networks, which could lead to data disclosure and remote code execution.

The most critical vulnerability among the three is a command injection flaw known as CVE-2023-20887, with a CVSS score of 9.8. A malicious actor with network access could remotely execute arbitrary code by exploiting this vulnerability.

VMware has also fixed another deserialization vulnerability, CVE-2023-20888, which received a CVSS score of 9.1 out of 10 on the scoring system.

According to VMware’s advisory, an attacker with network access to VMware Aria Operations for Networks and valid ‘member’ role credentials could perform a deserialization attack, resulting in remote code execution.

The third security issue is a high-severity information disclosure bug (CVE-2023-20889, CVSS score: 8.8). It allows an attacker with network access to perform a command injection attack and gain unauthorized access to sensitive data.

Also, Read: “Cybercriminals Leveraging CAPTCHA-Breaking Services with Human Solvers to Bypass Security Measures”

These three vulnerabilities affect version 6.x of VMware Aria Operations Networks. However, the company has addressed the issues in the following versions: 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10. There aren’t any known solutions to these vulnerabilities, which is unfortunate.

Similarly, Cisco has released fixes for a critical flaw in its Expressway Series and TelePresence Video Communication Server (VCS). This vulnerability (CVE-2023-20105, CVSS score: 9.6) allows an authenticated attacker with read-only Administrator-level credentials to elevate their privileges to Administrator with read-write credentials.

An attacker might change the passwords of any user on the network, even an administrator read-write user, using an authority cascade weakness resulting from improper handling of password change requests and then assuming that user’s identity. 

Moreover, another high-severity vulnerability (CVE-2023-20192, CVSS score: 8.4) affects the same product. In this case, an authenticated local attacker can execute commands and modify system configuration parameters.

Cisco advises blocking Command Line Interface (CLI) permission for read-only individuals as an interim remedy for CVE-2023-20192. Cisco has addressed both issues in versions 14.2.1 and 14.3.0 of VCS.

While there is no evidence of anyone exploiting these vulnerabilities, we strongly recommend promptly applying the patches to minimize potential risks.

These advisories come after discovering three security flaws in RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865), an open-source graphics debugger. These vulnerabilities could allow attackers to gain elevated privileges and execute arbitrary code.

Saher Mahmood

Saher Mahmood

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *