VMware by Broadcom warns of two critical vCenter flaws, plus a nasty sudo bug
Specially crafted network packet could allow remote code execution and access to VM fleets
VMware by Broadcom has revealed a pair of critical-rated flaws in vCenter Server – the tool used to manage virtual machines and hosts in its flagship Cloud Foundation and vSphere suites.
Announced late on Monday night, Pacific Time, the critical-rated flaws are CVE-2024-37079 and CVE-2024-37080, both of which scored 9.8 on the ten-point Common Vulnerability Scoring System v3 scale.
VMware's security bulletin describes both of the flaws as "heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol" that mean "A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution."
DCE/RPC (which stands for Distributed Computing Environment/Remote Procedure Calls) is a means of calling a procedure on a remote machine as if it were a local machine – just the ticket when managing virtual machines.
However, the prospect of an attacker using the flaws to run code on vCenter Server and drive fleets of VMs and hosts is deeply unpleasant.
VMware has published a resource for its customers that states the Broadcom business unit "is not currently aware of exploitation 'in the wild'."
- Notorious cyber gang UNC3944 attacks vSphere and Azure to run VMs inside victims' infrastructure
- Patch now: Critical VMware, Atlassian flaws found
- Patch now: Critical VMware, Atlassian flaws found
- VMware urges emergency action to blunt hypervisor flaws
The good news is that patched versions of vCenter Server and Cloud Foundation are already available.
The bad news is that VMware hass not considered whether the flaws impact older versions of vSphere – meaning versions 6.5 and 6.7, which exited support in October 2022 but are still widely used, may be impacted but won't be fixed.
Further unwelcome news is that VMware also revealed a third flaw – CVE-2024-37081 – described as "local privilege escalation vulnerabilities due to misconfiguration of sudo." This one is rated important, with a score of 7.8, as it could mean "An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance."
The versions of vCenter Server and Coud Foundation affected by these flaws were released before Broadcom took over VMware – a tidbit we mention as some doomsayers have suggested job cuts at the virty giant could impact product quality.
VMware has tipped its hat to Matei "Mal" Badanoiu of Deloitte Romania for finding the flaws. ®