Critical RCE flaws in vCenter Server fixed (CVE-2024-37079, CVE-2024-37080)
VMware by Broadcom has fixed two critical vulnerabilities (CVE-2024-37079, CVE-2024-37080) affecting VMware vCenter Server and products that contain it: vSphere and Cloud Foundation.
“A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution,” the company said, but noted that they are currently not aware of them being exploited “in the wild”.
The vulnerabilities
VMware vCenter Server is a popular server management solution for controlling vSphere (virtualized cloud computing) environments. VMware Cloud Foundation is a solution for deploying and managing hybrid cloud infrastructure.
CVE-2024-37079 and CVE-2024-37080 are heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol.
They have a high severity score because they can be exploited by unauthenticated, remote attackers without any user interaction.
At the same time, VMware has fixed several local privilege escalation vulnerabilities (CVE-2024-37081) that may arise due to misconfiguration of sudo and may allow an authenticated local user with non-administrative privileges to elevate privileges to root on vCenter Server Appliance.
Fixes are available
The three vulnerabilities have been privately reported by security researchers and affect vCenter Server versions 7.0 and 8.0, as well as Cloud Foundation versions 4.x and 5.x.
Products that are past their End of General Support dates – i.e., vSphere 6.5 or 6.7 – “are not evaluated as part of security advisories. If your organization has extended support please use those processes to request assistance,” the company said in an acompanying FAQ document.
Customers are advised to implement the fixes or upgrade as needed, as there are no workarounds available.
“There may be other mitigations and compensating controls available in your organization, depending on your security posture, defense-in-depth strategies, and configurations of perimeter firewalls and appliance firewalls. All organizations must decide for themselves whether to rely on those protections,” VMware added.
“Many appliances, such as the vCenter Server Appliance (VCSA), have firewalling capabilities accessible through the Virtual Appliance Management Interface (VAMI). This firewall can be used to help restrict access and potentially help mitigate vulnerabilities.”
UPDATE (August 28, 2024, 11:30 a.m. ET):
A technical write-up about CVE-2024-37079 has been published.
“At the time of the patch release, there was a fair amount of attention paid to this vulnerability. However, to date, there have been no attacks detected in the wild,” the Trend Micro Research Team noted.
The reason for the lack of attacks could be the fact that exploitation is not be straightforward. “Still, this is a critical vulnerability and should be addressed by applying the vendor-supplied patch,” the researchers added.