CVE-2023-20892

Summary

The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit heap-overflow vulnerability to execute arbitrary code on the underlying operating system that hosts vCenter Server.

Affected Software

VendorProductVersion RangeStatus
VMwareVMware vCenter Server (vCenter Server)8.0 < 8.0 U1baffected
VMwareVMware vCenter Server (vCenter Server)7.0 < 7.0 u3maffected
VMwareVMware Cloud Foundation (vCenter Server)5.x < 7.0 U3m, 8.0 U1baffected
VMwareVMware Cloud Foundation (vCenter Server)4.x < 7.0 U3m, 8.0 U1baffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References