ClickCease Cisco, VMware addresses critical security flaws

Table of Contents

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Cisco, VMware addresses critical security flaws

by

May 1, 2023 - TuxCare PR Team

Cisco and VMware have released security patches to address serious security flaws which malicious actors might exploit to execute arbitrary code on vulnerable computers.

A command injection hole in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9) allows an attacker to execute arbitrary commands as NT AUTHORITYSYSTEM on the underlying operating system of a compromised device is the most serious vulnerability. This issue exists in the web UI component and is caused by incorrect input validation during Device Pack upload.

Cisco gave credit to an unidentified external researcher for uncovering both issues. In addition, Cisco has addressed a moderate severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authorized, local attacker might exploit to get access to personal data. The fixes may be found in version 1.11.3.

Cisco also patched another critical flaw in the Modeling Labs network simulation platform’s external authentication mechanism. The vulnerability, identified as CVE-2023-20154 (CVSS score: 9.1), might allow an unauthenticated, remote attacker to gain administrative access to the web interface. With the release of version 2.5.1, the flaw has been addressed.

VMware also published a security advisory on a critical deserialization bug that affects different versions of Aria Operations for Logs (CVE-2023-20864, CVSS score: 9.8). Unauthenticated malicious actors with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. This vulnerability has been addressed in VMware Aria Operations for Logs 8.12, coupled with a high-severity command injection hole (CVE-2023-20865, CVSS score: 7.2) that might allow an attacker with admin capabilities to run arbitrary commands as root. The warning comes approximately three months after VMware fixed two major vulnerabilities in the same product (CVE-2022-31704 and CVE-2022-31706, CVSS scores: 9.8) that might lead to remote code execution.

The sources for this piece include an article in TheHackerNews.

Summary
Cisco, VMware addresses critical security flaws
Article Name
Cisco, VMware addresses critical security flaws
Description
Cisco and VMware have released security patches to address serious security flaws which malicious actors might exploit.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer