Security researchers reported that software companies Cisco and VMWare have released security advisories regarding several critical vulnerabilities in their products.
CVE-2023-20887: the VMWare Vulnerabilities
VMWare has issued updates to address three significant bugs within Aria Operations for Networks that could lead to information exposure and remote code execution.
The most severe of the flaws, tracked as CVE-2023-20887 and having a score of 9.8 out of 10 on the CVSS score system, would give an attacker with network access to the system the ability to carry out remote code execution.
The company also patched a deserialization vulnerability, CVE-2023-20888, ranked 9.1 out of 10 on the CVSS scale.
While an individual with an ‘member’ role and network access to Aria Operations for Networks has the potential to exploit this vulnerability, performing a deserialization attack and subsequently remote code execution, a third security vulnerability, an information disclosure bug with a CVSS score of 8.8 (CVE-2023-20889) was also fixed.
This bug, if taken advantage of, could permit a command injection attack that would give an attacker access to confidential data.
The three flaws in VMware Aria Operations Networks version 6.x have been addressed through patches in subsequent versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10, with no possible workaround to mitigate the given issues.
CVE-2023-20105: the Cisco Vulnerabilities
Furthermore, with CVE-2023-20105, which has a CVSS score of 9.6, Cisco has shipped a fix for a critical vulnerability in Expressway Series and TelePresence Video Communication Server (VCS); since it is a privilege escalation flaw, an authenticated attacker with Administrator-level read-only credentials may be able to elevate their access to a read-write user on an affected system by altering passwords.
Cisco has recently addressed the presence of two high-severity security flaws in its VCS product (CVE-2023-20192, CVSS score of 8.4, and CVE-2023-20193). As an interim measure to protect against the vulnerabilities, the company has suggested that CLI access should be disabled for read-only users. Also, VCS versions 14.2.1 and 14.3.0 were released to fix the aforementioned security issues.
In addition, three other vulnerabilities in Open-Source Graphics Debugger, RenderDoc (CVE-2023-33863, CVE-2023-33864, and CVE-2023-33865) were uncovered that could grant attackers escalated privileges and enable them to run arbitrary code. There is yet to be any report of these loopholes getting exploited in the wild, but it is highly recommended that affected parties patch their systems quickly to protect against any potential risks.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: