VMware patched two critical vulnerabilities in its vCenter Server application, which were disclosed in an advisory late Monday.
Organizations that use VMware vCenter Server to manage their vSphere environments and as a component of Cloud Foundation should patch as soon as possible to prevent exploitation.
Fixes are available for vCenter versions 8.0 and 7.0, and asynchronous patches are also available for Cloud Foundation versions 5.x and 4.x. However, vSphere versions that have reached End of General Support, such as vSphere 6.5 and 6.7, have not been assessed for these vulnerabilities and will not be updated, according to a VMware FAQ.
The critical vulnerabilities are tracked as CVE-2024-37079 and CVE-2024-37080, and both have a CVSS score of 9.8. The vulnerabilities have identical descriptions in the National Vulnerability Database indicating both are heap-overflow vulnerabilities in implementation of the Distributed Computing Environment/Remote Procedure Calls (DCE/RPC) protocol.
These flaws could enable an attacker with access to the victim network to send a crafted network packet leading to remote code execution (RCE).
High-severity VMware privilege escalation bug also patched
In addition to the critical flaws, VMware disclosed and patched a high-severity privilege escalation bug tracked as CVE-2024-37081.
This vulnerability, which has a CVSS score of 7.8, results from misconfiguration of the sudo command, which allows users to run commands with the privileges of another user.
CVE-2024-37081 can be exploited by an authenticated local user with non-administrative privileges to elevate to root privileges on vCenter Server.
This flaw is addressed by the same fixed vCenter Server versions that resolve CVE-2024-37079 and CVE-2024-37080: 8.0 U2d and 7.0 U3r. Another available version, 8.0 U1e, fixes the two critical flaws but does not resolve the privilege escalation flaw.
No effective workarounds are available for any of the three vulnerabilities, according to VMware, although the FAQ noted that firewalls could be used to help restrict access and mitigate the risk until patches can be applied.
Organizations using products that have reached their End of General Support date and have extended support should contact their relevant representative for assistance, VMware said.
The company indicated there was no evidence that any of the bugs have been exploited in the wild.
Importance of securing VMware environments
VMware products and environments are valuable targets for cybercriminals due to their widespread use, storage of sensitive data, and the potential to leverage VM control to ultimately infiltrate the host machine.
Last month, MITRE published a blog post advising fellow VMware users about the dangers of rogue VMs on their systems, after the organization’s own environment was compromised via two Ivanti Connect Secure vulnerabilities. In this case, which did not involve VMware vulnerabilities, the China nation-state hackers leveraged these hidden VMs to establish persistence within MITRE’s NERVE ESXi infrastructure.
VMware also patched two critical and high-severity vulnerabilities in Workstation, Fusion and ESXi in March, which could allow an attacker with local administrative privileges to execute code, due to “use-after-free” flaws.
In February, VMware disclosed that the optional VMware Enhanced Authentication Plug-in, a single sign-on tool for vSphere’s management interface, contained critical and high severity flaws that would not be patched due to the plugin being deprecated since 2021. Users were instructed to uninstall the plug-in to prevent exploitation.
