VMware and Broadcom have recently addressed critical security vulnerabilities in VMware products, including Cloud Foundation [1] [7] [8] [9] [10], vCenter Server [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and vSphere ESXi [3] [5] [9].

Description

VMware’s security advisory, VMSA-2024-0012 [2] [7], highlights multiple vulnerabilities [2], such as heap-overflow issues in the DCE/RPC protocol (CVE-2024-37079 and CVE-2024-37080) that could lead to remote code execution. Additionally, a local privilege escalation bug (CVE-2024-37081) due to sudo misconfiguration has been identified. These vulnerabilities affect vCenter Server versions 7.0 US3r, 8.0 U1e, and 8.0 U2d [7], as well as Cloud Foundation (vCenter Server) KB88287 [1]. Patches have been released for vCenter Server versions 7.0 and 8.0 to address these vulnerabilities. While there are no known active exploits [9], users are advised to apply the patches promptly to mitigate any potential security risks. The high-severity privilege escalation bug (CVE-2024-37081) allows an authenticated local user to elevate to root privileges on vCenter Server [8]. Fixes are available for vCenter versions 8.0 and 7.0 [4], as well as for Cloud Foundation versions 5.x and 4.x [4]. No effective workarounds are available [4], and organizations using products past their End of General Support date should seek assistance from VMware [4]. The vulnerabilities in the DCERPC protocol can lead to remote code execution [7], while misconfigurations in sudo can allow local privilege escalation [7]. These issues have been fixed in vCenter Server versions 7.0 US3r, 8.0 U1e [7] [9], and 8.0 U2d [7]. CVE-2024-37079 and CVE-2024-37080 were reported by the TianGong Team of Legendsec at Qi’anxin Group [7], while CVE-2024-37081 was identified by Matei “Mal” Badanoiu from Deloitte Romania [7]. VMware has also released patches for two critical vulnerabilities in vCenter Server, heap overflow issues in the DCE/RPC protocol implementation [1] [3] [10], which could allow remote code execution [6] [10]. A malicious actor with network access could exploit these vulnerabilities to execute remote code [2] [10]. Additionally, an important-severity local privilege escalation bug has been fixed in vCenter [10], allowing attackers with non-administrative privileges to elevate to root on a vCenter Server Appliance [10]. Products containing vCenter Server [10], such as vSphere and Cloud Foundation [2] [10], are also affected by these vulnerabilities [10].

Conclusion

Users are advised to apply the patches promptly to mitigate any potential security risks. Organizations using products past their End of General Support date should seek assistance from VMware to address these vulnerabilities and ensure the security of their systems.

References

[1] https://securityonline.info/cve-2024-37079-cve-2024-37080-critical-vmware-vcenter-server-vulnerabilities-demand-immediate-action/
[2] https://cybersecuritynews.com/multiple-vmware-vcenter-server-flaws/
[3] https://www.redpacketsecurity.com/vmware-issues-patches-for-cloud-foundation-vcenter-server-and-vsphere-esxi/
[4] https://www.scmagazine.com/news/vmware-fixes-2-critical-bugs-check-if-your-vcenter-server-is-affected
[5] https://www.infosecurity-magazine.com/news/vmware-critical-vulnerabilities/
[6] https://www.darkreading.com/cloud-security/critical-vmware-bugs-open-swaths-of-vms-to-rce-data-theft
[7] https://www.technadu.com/vmware-vcenter-server-patches-heap-overflow-and-privilege-escalation/534172/
[8] https://www.helpnetsecurity.com/2024/06/18/cve-2024-37079-cve-2024-37080/
[9] https://thehackernews.com/2024/06/vmware-issues-patches-for-cloud.html
[10] https://duo.com/decipher/vmware-warns-of-critical-vcenter-server-flaws