VMware vCenter Server 6.5 < 6.5U3v / 6.7 < 6.7U3t / 7.0 < 7.0U3o / 8.0 < 8.0U1d Out-of-bounds Write (VMSA-2023-0023)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(183957);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/21");

  script_cve_id("CVE-2023-34048");
  script_xref(name:"VMSA", value:"2023-0023");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/02/12");
  script_xref(name:"IAVA", value:"2023-A-0577-S");

  script_name(english:"VMware vCenter Server 6.5 < 6.5U3v / 6.7 < 6.7U3t / 7.0 < 7.0U3o / 8.0 < 8.0U1d Out-of-bounds Write (VMSA-2023-0023)");

  script_set_attribute(attribute:"synopsis", value:
"The VMware vCenter Server is affected by an out-of-bounds write vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5U3v, 6.7 prior to 6.7U3t, 7.0
prior to 7.0U3o, or 8.0 prior to 8.0U1d. It is, therefore, affected by an out-of-bounds write vulnerability as
referenced in the VMSA-2023-0023 advisory:

  - vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A
    malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to
    remote code execution. (CVE-2023-34048)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2023-0023.html");
  script_set_attribute(attribute:"see_also", value:"https://core.vmware.com/resource/vmsa-2023-0023-questions-answers");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware vCenter Server 6.5U3v, 6.7U3t, 7.0U3o, or 8.0U1d or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-34048");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vcenter_server");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_vcenter_detect.nbin");
  script_require_keys("Host/VMware/vCenter", "Host/VMware/version", "Host/VMware/release");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include('vcf_extras.inc');

var app_info = vcf::vmware_vcenter::get_app_info();

var constraints = [
  { 'min_version' : '6.5', 'fixed_version' : '6.5.22499743', 'fixed_display' : '6.5 Build 22499743 (U3v)' },
  { 'min_version' : '6.7', 'fixed_version' : '6.7.22509723', 'fixed_display' : '6.7 Build 22509723 (U3t)' },
  { 'min_version' : '7.0', 'fixed_version' : '7.0.22357613', 'fixed_display' : '7.0 Build 22357613 (U3o)' },
  { 'min_version' : '8.0', 'fixed_version' : '8.0.22368047', 'fixed_display' : '8.0 Build 22368047 (U1d) or 8.0 Build 223857392 (U2)' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);