CVE-2023-34048 is a pathogen that can be exploited remotely by an attacker who has network access to execute arbitrary code remotely due to an out-of-bounds write flaw found in VMware’s DCERPC implementation, which can be tracked as CVE-2023-34048 (CVSS 9.8).
As a result of the severity of the problem and the lack of workaround, VMware released patches for this vulnerability in October, noting that the patch was also available for versions of its products that had reached the end-of-life period (EOL).
There has been some reported exploitation of CVE-2023-34048 in the wild since last week, according to the virtualization technology company's advisory, but it does not provide any specific details on the attacks observed.
A zero-day vulnerability in VMware and Fortinet devices has been exploited by Chinese state-sponsored hackers named UNC3886 for years, experts have revealed, indicating that they have long exploited this vulnerability.
Earlier this week, Mandiant issued a report alleging that a group was exploiting the vulnerability to deploy malware, steal credentials, and ultimately exfiltrate sensitive information.
The security patch was released in late October of 2023, and it carries a severity rating of 9.8/10 (critical).
The flaw is described as an out-of-bounds write flaw that can allow attackers who have access to the VirtualCenter Server to execute code remotely. Cyberspies took advantage of this to gain access to their targets' vCenter servers and to use the compromised credentials to install maliciously crafted vSphere Installation Bundles (VIBs) on ESXi hosts with VirtualPita and VirtualPie backdoors via maliciously crafted backdoors.
Next, the attackers exploited a VMware Tools authentication bypass flaw in CVE-2023-20867 to gain access to guest virtual machines, harvest files, and exfiltrate them. Although Mandiant was not yet certain how the attackers acquired privileged access to victims' VMware servers, a VMware service crash minutes before the backdoors were deployed made it evident that the link was established by a VMware service crash, which closely coincided with the exploit of CVE-2023-34048 in late 2023.
It has been revealed by Mandiant that the zero-day attacker targeting VMware has been exploiting CVE-2023-34048 as a zero-day weaponized by them, allowing them to gain privileged access to the vCenter system, enumerate all VMware ESXi hosts and their virtual machines which they are connected to, and gain access to the vCenter server.
Next, the adversary will be able to connect directly to the hosts by retrieving the cleartext "vpxuser" credentials for the hosts and connecting to them directly to install the malware VIRTUALPITA and VIRTUALPIE, allowing them to interact with them directly.
As Mandiant revealed in June 2023, this paves the way for exploiting another VMware flaw, (CVE-2023-20867, CVSS score: 3.9). As a consequence, arbitrary commands can be executed on guest VMs and files can be transferred between the guest virtual machines from a compromised ESXi host using this flaw.
As Mandiant pointed out in their analysis, the same crashes were observed in several UNC3886 intrusions that began in late 2021, suggesting the attacker had access to the vulnerability for approximately one and a half years. As well as removing the 'vmdird' core dumps from the compromised environments, the cybersecurity firm observed that they had also preserved the log entries to cover their tracks.
With the release of the 8.0U2 update from VMware, the vulnerability found in vCenter version 8.0U2 has been patched. The patches are available for vCenter Server versions 8.0U1, 7.0U3, 6.7U3, 6.5U3, VCF 3.x, as well as Async vCenter Server Versions 5.x and 4.x.
