A critical remote code execution vulnerability in VMware’s vCenter Server and Cloud Foundation enterprise products, which are used to manage virtual machines across hybrid clouds, was discovered and fixed by the company in October. However, it has now been revealed that a Chinese cyberespionage group had been exploiting this vulnerability for 1.5 years prior to the patch becoming available.
According to a report by security firm Mandiant, the group known as UNC3886 had been using novel attack paths to exploit the vulnerability, which historically focuses on technologies that are unable to have EDR (endpoint detection and response) deployed to them. UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities.
Mandiant documented how the Chinese group exploited a zero-day authentication bypass vulnerability in VMware Tools in June 2023 to deploy backdoors inside guest VMs from compromised ESXi hosts. The attack started with hackers gaining access to vCenter servers and extracting cleartext credentials for the vpxuser account for all ESXi hosts attached to the server. This allowed them to access those hosts and exploit the vulnerability to deploy malware.
The fact that the password for vpxuser is encrypted by default on fully patched vCenter systems raised questions about how attackers gained root access to the servers in the first place. It was discovered that the CVE-2023-34048 vulnerability was exploited to crash the “vmdird” service on compromised vCenter systems, allowing attackers to deploy their malware.
The CVE-2023-34048 flaw is an out-of-bounds write in the implementation of the DCERPC protocol that leads to a crash and arbitrary code execution. This flaw can be exploited remotely over the network, making it a critical security risk for organizations using VMware’s vCenter Server and Cloud Foundation enterprise products.
This revelation raises concerns about the security of virtual machine management across hybrid clouds and highlights the need for organizations to prioritize patching vulnerabilities in their infrastructure. The fact that a cyberespionage group was able to exploit this vulnerability for such a long period of time underscores the need for proactive security measures and continuous monitoring of potential threats.
VMware has since fixed the vulnerability, but the incident serves as a reminder of the ongoing cat-and-mouse game between cybercriminals and security teams. As organizations continue to adopt cloud-based infrastructure and virtualization technologies, they must remain vigilant against evolving threats and ensure that their systems are regularly patched and updated to mitigate the risk of exploitation.