Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems.
The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack.
“A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device,” Cisco said in an advisory released on April 19, 2023.
The networking equipment major also resolved a medium-severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authenticated, local attacker could abuse to view sensitive information.
Patches have been made available in version 1.11.3, with Cisco crediting an unnamed “external” researcher for reporting the two issues.
Also fixed by Cisco is another critical flaw in the external authentication mechanism of the Modeling Labs network simulation platform. Tracked as CVE-2023-20154 (CVSS score: 9.1), the vulnerability could permit an unauthenticated, remote attacker to access the web interface with administrative privileges.
“To exploit this vulnerability, the attacker would need valid user credentials that are stored on the associated external authentication server,” the company noted.
“If the LDAP server is configured in such a way that it will reply to search queries with a non-empty array of matching entries (replies that contain search result reference entries), this authentication bypass vulnerability can be exploited.”
While there are workarounds that plug the security hole, Cisco cautions customers to test the effectiveness of such remediations in their own environments before administering them. The shortcoming has been patched with the release of version 2.5.1.
VMware ships updates for Aria Operations for Logs#
VMware, in an advisory released on April 20, 2023, warned of a critical deserialization flaw impacting multiple versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8).
“An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root,” the virtualization services provider said.
VMware Aria Operations for Logs 8.12 fixes this vulnerability along with a high-severity command injection flaw (CVE-2023-20865, CVSS score: 7.2) that could allow an attacker with admin privileges to run arbitrary commands as root.
“CVE-2023-20864 is a critical issue and should be patched immediately,” the company said. “It needs to be highlighted that only version 8.10.2 is impacted by this vulnerability.”
The alert comes almost three months after VMware plugged two critical issues in the same product (CVE-2022-31704 and CVE-2022-31706, CVSS scores: 9.8) that could result in remote code execution.
With Cisco and VMware appliances turning out to be lucrative targets for threat actors, it’s recommended that users move quickly to apply the updates to mitigate potential threats.