VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi
VMware has recently rolled out updates to mitigate several critical vulnerabilities affecting Cloud Foundation, vCenter Server, and vSphere ESXi. If these flaws remain unpatched, attackers could exploit them to achieve privilege escalation and remote code execution, posing significant risks to system integrity and security. The vulnerabilities include CVE-2024-37079 and CVE-2024-37080, both of which are heap-overflow issues in the DCE/RPC protocol implementation, allowing remote code execution via specially crafted network packets, and CVE-2024-37081, a local privilege escalation flaw arising from sudo misconfigurations in VMware vCenter, enabling authenticated local users to obtain root permissions. Notably, these vulnerabilities impact vCenter Server versions 7.0 and 8.0, which have been addressed in versions 7.0 U3r, 8.0 U1e, and 8.0 U2d. The discovery of these vulnerabilities is credited to cybersecurity researchers Hao Zheng and Zibo Li from QiAnXin LegendSec, and Matei “Mal” Badanoiu at Deloitte Romania. This is not the first time VMware has dealt with DCE/RPC protocol issues; a similar critical flaw (CVE-2023-34048) was patched in October 2023. Users are strongly urged to identify affected systems, download and test patches, back up configurations, deploy patches, and monitor their systems to ensure they are safeguarded against potential exploits. Despite no reports of these vulnerabilities being actively exploited in the wild, the critical nature of these flaws underscores the urgency of applying the necessary patches promptly to maintain system security and prevent any unauthorized access or code execution.
Overview of Vulnerabilities
Remote Code Execution Vulnerabilities (CVE-2024-37079 & CVE-2024-37080)
VMware vCenter Server faces significant security risks due to two critical heap-overflow vulnerabilities, CVE-2024-37079 and CVE-2024-37080, identified in its DCE/RPC protocol implementation. These vulnerabilities are rated with a CVSS score of 9.8, indicating their severe impact if exploited. Exploitation of these flaws could enable remote attackers, leveraging network access to the vCenter Server, to execute arbitrary code. This threat stems from the ability to send specially crafted network packets to the server, potentially leading to serious breaches in the server’s security posture. VMware’s urgent response is crucial to mitigating these risks and ensuring the protection of systems relying on vCenter Server against potential exploitation and unauthorized access.
Local Privilege Escalation Vulnerability (CVE-2024-37081)
VMware vCenter Server faces another critical security challenge with the discovery of CVE-2024-37081, characterized by a CVSS score of 7.8. This vulnerability exposes multiple local privilege escalation issues rooted in a misconfiguration within the sudo configuration file. Exploitation of this flaw could empower an authenticated local user, initially lacking administrative privileges, to escalate their access to root permissions. This scenario effectively grants the attacker full control over the compromised system, underscoring the urgency for VMware to promptly address and remediate this vulnerability to safeguard system integrity and prevent potential unauthorized access and exploitation.
Historical Context: Recurring Issues with DCE/RPC Protocol
This is not the first time VMware has addressed security flaws in the implementation of the DCE/RPC protocol. In October 2023, a critical vulnerability (CVE-2023-34048) with a CVSS score of 9.8 was patched. This vulnerability also allowed for remote code execution via specially crafted network packets. The recurrence of such issues highlights the importance of scrutinizing and securing this protocol implementation.
Discovery and Reporting
Hao Zheng and Zibo Li of the Chinese cybersecurity firm QiAnXin LegendSec have identified vulnerabilities CVE-2024-37079 and CVE-2024-37080, marking crucial discoveries in the realm of cybersecurity. These vulnerabilities, highlighted by their diligent efforts, have significantly contributed to enhancing the security landscape by pinpointing critical weaknesses within VMware’s systems. Their expertise and dedication have enabled VMware to swiftly address these vulnerabilities through timely patches, thereby bolstering the overall resilience of their software against potential threats. In a separate instance, Matei “Mal” Badanoiu from Deloitte Romania uncovered CVE-2024-37081, a local privilege escalation vulnerability. This discovery underscores the global collaboration and diverse expertise involved in safeguarding digital environments against exploitation and unauthorized access. VMware’s responsiveness to these findings exemplifies proactive security measures aimed at maintaining trust and reliability in their products. The combined efforts of these cybersecurity professionals highlight the importance of collaboration and vigilance in defending against emerging threats in the ever-evolving landscape of cybersecurity.
Affected Versions and Patch Information
The identified vulnerabilities affect vCenter Server versions 7.0 and 8.0. VMware has addressed these issues in the following versions:
- vCenter Server 7.0: Updated to version 7.0 U3r
- vCenter Server 8.0: Updated to versions 8.0 U1e and 8.0 U2d
Users running affected versions are strongly urged to upgrade to the fixed versions to mitigate potential risks.
Urgency of Applying Patches
Despite the lack of reported cases of these vulnerabilities being actively exploited in the wild, their criticality remains paramount. The high Common Vulnerability Scoring System (CVSS) scores and the associated risks of remote code execution and privilege escalation underscore the urgency of addressing these flaws. Users are strongly urged to apply the available patches without delay to protect their systems from potential attacks. Taking proactive measures to update and secure systems is essential to mitigate the risk and ensure the safety and integrity of sensitive data and operations. Prompt action in patching these vulnerabilities is crucial to preemptively defend against possible exploitation.
Remediation Steps
- Identify Affected Systems: Determine which vCenter Server versions (7.0 and 8.0) are running in your environment.
- Download Patches: Obtain the appropriate patches for vCenter Server versions 7.0 U3r, 8.0 U1e, and 8.0 U2d from VMware’s official website.
- Backup Systems: Perform a complete backup of your vCenter Server configurations and data before applying any patches.
- Test Patches: Apply the patches in a staging or test environment first to ensure compatibility and stability.
- Deploy Patches: Install the patches on all affected production systems following VMware’s installation guidelines.
- Verify Updates: Confirm that the patches have been successfully applied and that the systems are functioning correctly.
- Monitor Systems: Continuously monitor the systems for any unusual activity and verify that the vulnerabilities have been mitigated.