VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution.
The list of vulnerabilities is as follows -
- CVE-2024-37079 & CVE-2024-37080 (CVSS scores: 9.8) - Multiple heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol that could allow a bad actor with network access to vCenter Server to achieve remote code execution by sending a specially crafted network packet
- CVE-2024-37081 (CVSS score: 7.8) - Multiple local privilege escalation vulnerabilities in VMware vCenter arising due to the misconfiguration of sudo that an authenticated local user with non-administrative privileges could exploit to obtain root permissions
This is not the first time VMware has addressed shortcomings in the implementation of the DCE/RPC protocol. In October 2023, the Broadcom-owned virtualization services provider patched another critical security hole (CVE-2023-34048, CVSS score: 9.8) that could also be abused to execute arbitrary code remotely.
Chinese cybersecurity company QiAnXin LegendSec researchers Hao Zheng and Zibo Li have been credited with discovering and reporting CVE-2024-37079 and CVE-2024-37080. The discovery of CVE-2024-37081 has been credited to Matei "Mal" Badanoiu at Deloitte Romania.
All three issues, which affect vCenter Server versions 7.0 and 8.0, have been addressed in versions 7.0 U3r, 8.0 U1e, and 8.0 U2d.
While there are no known reports of any of the vulnerabilities being actively exploited in the wild, it's essential that users move quickly to apply the patches in light of their criticality.