VMware has issued a security advisory addressing critical vulnerabilities in vCenter Server, including remote code execution and local privilege escalation flaws.
VMware vCenter Server is a central management platform for VMware vSphere, enabling the management of virtual machines and ESXi hosts.
Today, the vendor released fixes for three vulnerabilities, namely CVE-2024-37079, CVE-2024-37080, CVE-2024-37081, summarized as follows:
- CVE-2024-37079: A heap-overflow vulnerability in the DCERPC protocol implementation of vCenter Server that allows a malicious actor with network access to send specially crafted packets, potentially leading to remote code execution. (CVSS v3.1 score: 9.8 “critical”)
- CVE-2024-37080: Another heap overflow vulnerability in the DCERPC protocol of vCenter Server. Similar to CVE-2024-37079, it allows an attacker with network access to exploit heap overflow by sending crafted packets, potentially resulting in remote code execution. (CVSS v3.1 score: 9.8 “critical”)
- CVE-2024-37081: This vulnerability arises from a misconfiguration of sudo in vCenter Server, permitting an authenticated local user to exploit this flaw to elevate their privileges to root on the vCenter Server Appliance. (CVSS v3.1 score: 7.8 “high”)
The above flaws impact VMware vCenter Server versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x.
Security updates were made available in VMware vCenter Server 8.0 U2d, 8.0 U1e, and 7.0 U3r. For Cloud Foundation, patches were pushed through KB88287.
The vendor says that updating vCenter Server does not affect running workloads or VMs, but a temporary unavailability is to be expected on vSphere Client and other management interfaces during the update.
Also, an issue with custom ciphers was detected in 7.0 U3r (also in U3q). A precheck is recommended to catch the problem, while users can also refer to the corresponding knowledge base article.
The vendor said there are no viable in-product workarounds or mitigations for these vulnerabilities, so the recommended solution is to apply the updates as soon as possible.
In a FAQ page VMware published to accompany the security bulletin, the company says that no active exploitation of the flaws has been detected in the wild as of yet.
However, it is not uncommon for vCenter flaws to be targeted by threat actors when they are disclosed, so admins must apply the updates as soon as possible.