VMware has recently addressed critical vulnerabilities in its VMware vSphere and VMware Cloud Foundation products, with fixes released by Broadcom.
Description
These vulnerabilities, including heap-overflow flaws in the DCE/RPC protocol (CVE-2024-37079 & CVE-2024-37080 [2], CVSS scores: 9.8) and a local privilege escalation issue in VMware vCenter due to sudo misconfiguration (CVE-2024-37081 [2], CVSS score: 7.8) [1] [2] [3] [6], have been patched [2]. The heap-overflow flaws in the DCE/RPC protocol can lead to remote code execution [1], while the privilege escalation bug in vCenter can result in privilege escalation. Researchers from QiAnXin LegendSec and Deloitte Romania were credited with discovering these vulnerabilities [2]. It is crucial for customers to install updates containing patches immediately, as these issues have been addressed in vCenter Server versions 7.0 and 8.0 [2]. While there have been no known active exploitations in the wild, it is important for users to apply the patches promptly [2]. A security advisory published on June 17, 2024 [7], highlighted three CVEs with severity scores ranging from 7.8-9.8 [7]. VMware has released a critical security advisory [8], VMSA-2024-0012 [8], addressing multiple vulnerabilities in VMware vCenter Server [8], a core component of VMware vSphere and VMware Cloud Foundation products [7] [8]. These vulnerabilities could allow attackers to execute remote code on affected systems [8]. The advisory highlights critical vulnerabilities [8], including heap overflow and local privilege escalation issues [8], with the most severe vulnerabilities assigned CVE-2024-37079 [8], CVE-2024-37080 [1] [2] [3] [4] [5] [6] [8] [9], and CVE-2024-37081 [1] [2] [3] [4] [5] [6] [8] [9]. Heap-Overflow Vulnerabilities (CVE-2024-37079 [4] [6] [8], CVE-2024-37080) exist when implementing the DCERPC protocol within the vCenter Server [8], with a maximum CVSSv3 base score of 9.8 [8] [9]. A malicious actor with network access can exploit these vulnerabilities by sending specially crafted network packets [8], potentially leading to remote code execution [7] [8]. Patches have been released to address these vulnerabilities [8]. The Local Privilege Escalation Vulnerability (CVE-2024-37081) is due to misconfiguration of sudo in vCenter Server [8], allowing an authenticated local user to elevate their privileges to root [8]. It has a CVSSv3 base score of 7.8 [8]. An authenticated local user can exploit this vulnerability to gain root access on the vCenter Server Appliance [8]. Organizations using VMware vCenter Server are urged to apply the necessary patches immediately to mitigate these critical vulnerabilities [8]. Older vSphere versions 6.5 and 6.7 are not covered by these patches, despite official support ending in October 2022 [5], but are still widely used.
Conclusion
It is imperative for organizations using VMware vCenter Server to promptly apply the necessary patches to mitigate the critical vulnerabilities identified. Failure to do so could result in remote code execution and privilege escalation, posing significant security risks. Future implications may include increased cyber threats and potential data breaches if these vulnerabilities are not addressed in a timely manner.
References
[1] https://www.scmagazine.com/news/vmware-fixes-2-critical-bugs-check-if-your-vcenter-server-is-affected
[2] https://thehackernews.com/2024/06/vmware-issues-patches-for-cloud.html
[3] https://www.redpacketsecurity.com/vmware-issues-patches-for-cloud-foundation-vcenter-server-and-vsphere-esxi/
[4] https://www.darkreading.com/cloud-security/critical-vmware-bugs-open-swaths-of-vms-to-rce-data-theft
[5] https://www.techzine.eu/news/security/121303/vulnerabilities-in-vmwares-vcenter-server-enable-remote-code-execution/
[6] https://winbuzzer.com/2024/06/18/vmware-vcenter-server-faces-critical-security-vulnerabilities-xcxwbn/
[7] https://www.infosecurity-magazine.com/news/vmware-critical-vulnerabilities/
[8] https://cybersecuritynews.com/multiple-vmware-vcenter-server-flaws/
[9] https://www.virtualizationhowto.com/2024/06/vmware-vcenter-server-vmsa-2024-0012-critical-patch-update-steps/