VMware has recently issued critical updates to address significant vulnerabilities affecting its Cloud Foundation, vCenter Server, and vSphere ESXi platforms. These flaws are particularly concerning as they could potentially allow attackers to escalate privileges or execute remote code. The vulnerabilities have been assigned high CVSS scores, underscoring their severity.
Among the identified security issues are CVE-2024-37079 and CVE-2024-37080, both rated at 9.8. These vulnerabilities stem from multiple heap-overflow flaws within the DCE/RPC protocol. A malicious actor with network access to vCenter Server could exploit these vulnerabilities by sending specially crafted packets, thereby achieving remote code execution on the system. This represents a serious risk to organizations leveraging VMware technologies.
Another critical vulnerability, CVE-2024-37081, carries a CVSS score of 7.8. This issue relates to local privilege escalation vulnerabilities within VMware vCenter. The vulnerabilities arise from improper configuration of the sudo command, which allows authenticated local users with non-administrative privileges to potentially escalate their access to root permissions. This situation is alarming as it could compromise the integrity of systems managed by vCenter.
Importantly, VMware’s response to these vulnerabilities is not a new development in their security posture concerning the DCE/RPC protocol. In October 2023, VMware had already addressed another critical vulnerability (CVE-2023-34048), which also posed a threat of remote code execution. This pattern indicates a recurring issue within the protocol’s implementation that organizations must monitor closely.
The discovery of CVE-2024-37079 and CVE-2024-37080 has been attributed to researchers Hao Zheng and Zibo Li from the Chinese cybersecurity firm QiAnXin LegendSec. Meanwhile, CVE-2024-37081 was discovered by Matei “Mal” Badanoiu at Deloitte Romania. These findings emphasize the importance of vigilance and proactive security measures in the cybersecurity landscape.
The outstanding vulnerabilities affect versions 7.0 and 8.0 of vCenter Server. VMware has addressed these issues in updates 7.0 U3r, 8.0 U1e, and 8.0 U2d. While there are currently no known reports of these vulnerabilities being actively exploited in the wild, the nature of the issues necessitates swift action from users to apply the patches provided.
In terms of tactics, the vulnerabilities could relate to several techniques outlined in the MITRE ATT&CK framework. For instance, they align with adversary tactics involving initial access and privilege escalation. The exploitation of these vulnerabilities demonstrates potential pathways that hackers might employ to compromise systems further, highlighting the need for continuous monitoring and preventive strategies.
As organizations navigate the complexities of cybersecurity, staying updated on vulnerabilities such as those disclosed by VMware is crucial. The criticality of these recent disclosures serves as a reminder of the dynamic nature of cyber threats, reinforcing the imperative for robust resilience strategies and timely patch management in safeguarding sensitive data and systems.
