Multiple VMware vCenter Server Flaws Allow Remote Code Execution

VMware has released a critical security advisory, VMSA-2024-0012, addressing multiple vulnerabilities in VMware vCenter Server, a core component of VMware vSphere and VMware Cloud Foundation products.

If exploited, these vulnerabilities could allow attackers to execute remote code on affected systems.

EHA

The advisory highlights several critical vulnerabilities, including heap overflow and local privilege escalation issues. The most severe of these vulnerabilities have been assigned CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Heap-Overflow Vulnerabilities (CVE-2024-37079, CVE-2024-37080)

These vulnerabilities exist when implementing the DCERPC protocol within the vCenter Server. They have been rated with a maximum CVSSv3 base score of 9.8, indicating critical severity.

A malicious actor with network access to the vCenter Server can exploit these vulnerabilities by sending specially crafted network packets, potentially leading to remote code execution.

Patch:

VMware has released patches to address these vulnerabilities. Users are advised to apply the updates listed in the ‘Fixed Version’ column of the response matrix below.

Local Privilege Escalation Vulnerability (CVE-2024-37081)

This vulnerability is due to misconfiguration of sudo in vCenter Server, allowing an authenticated local user with non-administrative privileges to elevate their privileges to root. It has a CVSSv3 base score of 7.8, categorized as important.

An authenticated local user can exploit this vulnerability to gain root access on the vCenter Server Appliance.

Patch:

Patches have been released to remediate this issue. Users should apply the updates listed in the response matrix.

Response Matrix

VMware ProductVersionRunning OnCVECVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
vCenter Server8.0AnyCVE-2024-37079, CVE-2024-37080, CVE-2024-370819.8, 9.8, 7.8Critical8.0 U2dNoneFAQ
vCenter Server8.0AnyCVE-2024-37079, CVE-2024-370809.8, 9.8Critical8.0 U1eNoneFAQ
vCenter Server7.0AnyCVE-2024-37079, CVE-2024-37080, CVE-2024-370819.8, 9.8, 7.8Critical7.0 U3rNoneFAQ

Impacted Product Suites

VMware ProductVersionRunning OnCVECVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Cloud Foundation (vCenter Server)5.xAnyCVE-2024-37079, CVE-2024-37080, CVE-2024-370819.8, 9.8, 7.8CriticalKB88287NoneFAQ
Cloud Foundation (vCenter Server)4.xAnyCVE-2024-37079, CVE-2024-37080, CVE-2024-370819.8, 9.8, 7.8CriticalKB88287NoneFAQ

Organizations using VMware vCenter Server are urged to apply the necessary patches immediately to mitigate these critical vulnerabilities.

How to Verify Patches

Organizations can verify that patches have been successfully applied to vCenter Server by following these steps:

Access the Appliance Shell:

  • Log in to the vCenter Server Appliance shell as a user with super administrator privileges, typically the root user.

List Installed Patches:

  • Use the software-packages utility to view the list of installed patches. Run the following command to see all patches currently applied to the vCenter Server Appliance:
    bash software-packages list
  • To view the patches in chronological order, use:
    bash software-packages list --history
  • This command provides a detailed list of all patches applied, including the installation date and other relevant details.

Check Specific Patch Details:

  • If you need to verify details about a specific patch, use the following command:
    bash software-packages list --patch <patch_name>
  • Replace <patch_name> with the actual name of the patch you want to check. For example:
    bash software-packages list --patch VMware-vCenter-Server-Appliance-Patch1
  • This command will display comprehensive details about the specified patch, such as the vendor, description, and installation date.

Use the vCenter Server Management Interface (VAMI):

  • Log in to the VAMI at https://<vcenter-hostname-or-IP>:5480 using the root account.
  • Navigate to the “Update” section. In the “Current version details” pane, you can view the vCenter Server version and build number.
  • The “Available Updates” pane will show the status of updates, including whether they have been installed successfully.

Verify System Functionality:

  • After applying patches, ensure that the vCenter Server Appliance is functioning correctly. Check critical services and perform routine operations to confirm that the system is stable and operating as expected.

By following these steps, organizations can effectively verify that the latest patches have been successfully applied to their vCenter Server, ensuring the system is up-to-date and secure.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.