ALERT: Update VMware vCenter Server for critical vulnerability

10/25/2023
Dark blue background with a white computer icon. On its screen is an exclamation mark.

VMware has released updates to address a critical vulnerability in VMware vCenter Server that could lead to possible remote code execution. Affected VMware servers and components should be updated as soon as possible after appropriate testing. Because of the severity of the vulnerability and the lack of workaround to mitigate it, VMware has released patches for some legacy versions of their products, as noted below.

 

Wednesday, October 25, 2023 This message is intended for U-M IT staff who are responsible for systems running VMware vCenter Server.


Problem

A critical vulnerability in VMware vCenter Server can be exploited to allow remote code execution on the affected servers. The vulnerability can be exploited remotely, without need for user interaction.

Affected Systems

Because of the severity of the vulnerability and the lack of workaround to mitigate it, VMware has released patches for some legacy versions of their products, as noted below.

  • VMware vCenter Server 8.0 (8.0U1d or 8.0U2)
  • VMware vCenter Server 7.0 (7.0U3o)
  • VMware Cloud Foundation 5.x and 4.x
  • vCenter Server 6.7U3 and 6.5U3 
  • VCF 3.x

 

Action Items

Update vCenter Server as soon as possible after appropriate testing. Because of the severity of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Links to updates and additional information can be found in VMware VMSA-2023-0023.

When possible, limiting access to affected ports is a good additional security measure, but does not replace patching as a mitigation for this vulnerability.

Technical Details

An out-of-bounds write vulnerability in vCenter's DCE/RPC protocol implementation can allow for remote code execution. The specific ports linked to this vulnerability are:

  • 2012/tcp 
  • 2014/tcp
  • 2020/tcp

This vulnerability does not require authentication or user interaction, and can be exploited remotely.