Threat update
VMware has released patches to address critical vulnerabilities impacting Cloud Foundation, vCenter Server, and vSphere ESXi, which could be exploited to achieve privilege escalation and remote code execution. The flaws, identified as CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081, have high CVSS scores
Technical Detail and Additional Info
What is the threat?
This threat comprises of multiple critical vulnerabilities in VMware products. CVE-2024-37079 and CVE-2024-37080 are heap-overflow vulnerabilities in the DCE/RPC protocol implementation within vCenter Server. These vulnerabilities allow a malicious actor with network access to vCenter Server to achieve remote code execution by sending specially crafted network packets. This could lead to complete system compromise, allowing the attacker to execute arbitrary code and potentially gain full control over the affected system.
CVE-2024-37081 involves multiple local privilege escalation vulnerabilities in VMware vCenter due to the misconfiguration of sudo. An authenticated local user with non-administrative privileges could exploit these vulnerabilities to obtain root permissions, significantly increasing their access level and control over the system. This could lead to unauthorized changes, data exfiltration, and other malicious activities.
Why is it noteworthy?
The high CVSS scores of these vulnerabilities underscore the severity, indicating that successful exploitation could result in significant damage. The ability of threat actors to achieve remote code execution and escalate privileges poses a substantial risk to the confidentiality, integrity, and availability of affected systems. VMware users with these affected software should take prompt action to mitigate these threats and protect critical infrastructure.
What is the exposure or risk?
The risk posed by these vulnerabilities is considerable for organizations relying on VMware's Cloud Foundation, vCenter Server, and vSphere ESXi. Exploitation of these vulnerabilities could lead potential data breaches, service disruptions, and significant financial and reputational damage. The ability to achieve remote code execution and escalate privileges allows attackers to move laterally within the network, increasing the potential impact of an attack.
What are the recommendations?
LBT Technology Group recommends the following actions to protect your VMware infrastructure:
- Apply the patch versions listed in the VMware Security Advisory.
- Refer to VMware's documentation for instructions on patching and important considerations when deploying vCenter Server High Availability.
References
For more in-depth information about the recommendations, please visit the following links:
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
- https://thehackernews.com/2024/06/vmware-issues-patches-for-cloud.html
- https://core.vmware.com/resource/vmsa-2024-0012-questions-answers#what-should-i-do-to-protect-myself
If you have any questions, please contact LBT's Sales Engineer.