VMware‘s vCenter Server, a vital platform for managing virtual machines and ESXi hosts, has been found vulnerable to critical security flaws. Three vulnerabilities, CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081, have been identified, posing risks of remote code execution and local privilege escalation.
CVE-2024-37079 and CVE-2024-37080 are heap overflow vulnerabilities in the vCenter Server’s DCERPC protocol implementation, allowing malicious actors with network access to exploit crafted packets for remote code execution. Both received a “critical” CVSS v3.1 score of 9.8.
CVE-2024-37081, on the other hand, involves a sudo misconfiguration in vCenter Server, enabling authenticated local users to elevate their privileges to root on the vCenter Server Appliance. This vulnerability has a CVSS v3.1 score of 7.8, classified as “high.”
Affected versions include VMware vCenter Server 7.0 and 8.0, as well as VMware Cloud Foundation 4.x and 5.x. Updates have been issued for vCenter Server versions 8.0 U2d, 8.0 U1e, and 7.0 U3r, with patches available for Cloud Foundation through KB88287.
During the update process, VMware assures that running workloads or virtual machines will not be impacted, though vSphere Client and other management interfaces may experience temporary unavailability. It’s advisable to conduct a pre-test for issues related to custom ciphers in 7.0 U3r and U3q, as detailed in the Knowledge Base article.
As no viable workarounds or mitigations exist within the products, installing the updates promptly is strongly recommended. While there have been no reported instances of active exploitation of the vulnerabilities, VMware emphasizes the importance of timely action, considering the potential threat from malicious actors targeting disclosed vCenter vulnerabilities.
Article Source
https://www.bleepingcomputer.com/news/security/VMware-fixes-critical-vcenter-rce-vulnerability-patch-now/