VMware has disclosed critical vulnerabilities impacting its VMware vSphere and VMware Cloud Foundation products, urging customers to immediately install updates containing patches.
The issues are in the VMware vCenter Server, which is present in the affected products.
In a critical security advisory published on June 17, 2024, the cloud computing firm highlighted three CVEs with severity scores ranging from 7.8-9.8.
The vulnerabilities are memory management and corruption flaw, potentially leading to remote code execution.
- Multiple heap-overflow vulnerabilities: CVE-2024-37079 and CVE-2024-37080 relate to multiple heap-overflow vulnerabilities in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution. These issues have been given a CVSS score of 9.8.
- Multiple local privilege escalation vulnerabilities: CVE-2024-37081 relates to multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. These issues have been given a CVSS score of 7.8.
VMWare Customers Urged to Take Action
While VMware is not currently aware of exploitation of the vulnerabilities in the wild, it is recommending that customers take immediate action to address the issues, given the severity.
Patches have been applied in the following updates that are available to customers:
vCenter Server
Version 8.0 U2d is available for customers running v 8.0 of VMware’s vCenter Server. This version has fixes for CVE-2024-37079, CVE-2024-37080 and CVE-2024-37081.
8.0 U1e is also available for v 8.0. This has patches for CVE-2024-37079 and CVE-2024-37080.
For customers using vCenter Server v 7.0, v 7.0 U3r is available which contains fixes for CVE-2024-37079, CVE-2024-37080, CVE-2024-37081.
Cloud Foundation
Version KB88287 is available for customers using v 4.x and 5.x of VMware’s Cloud Foundation, and has fixes for CVE-2024-37079, CVE-2024-37080 and CVE-2024-37081.
Workarounds
VMware said it investigated in-product workarounds for the vulnerabilities, but none were determined to be viable.
The company stated: “There may be other mitigations and compensating controls available in your organization, depending on your security posture, defense-in-depth strategies, and configurations of perimeter firewalls and appliance firewalls. All organizations must decide for themselves whether to rely on those protections.”
VMware has not evaluated whether vSphere product versions 6.5 or 6.7 have the vulnerabilities as they are past their End of General Support dates.
VMware has thanked Hao Zheng and Zibo Li from TianGong Team of Legendsec at Qi'anxin Group for responsibly reporting the issues in CVE-2024-37079 and CVE-2024-37080 to them, and Matei "Mal" Badanoiu for reporting the issues in CVE-2024-37081.
Image credit: Mehaniq / Shutterstock.com