A recent security advisory from Broadcom, now the owner company of VMware, discloses critical vulnerabilities affecting VMware vCenter Server and the virtualized environment it manages.
The advisory, VMSA-2024-0012, addresses three critical vulnerabilities discovered in the vCenter Server. These vulnerabilities, classified as CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081, can be exploited by malicious actors to gain unauthorized access to vCenter Server systems, a crucial component for managing VMs on the Cloud Foundation and vSphere platforms.
Broadcom’s advisory revealed that CVE-2024-37079 and CVE-2024-37080 are heap overflow flaws with a 9.8 CVSS score. Hao Zheng and Zibo Li from the TianGong Team of Legendsec at Qi’anxin Group reported the issues.
These flaws allow hackers to execute code remotely when implementing the DCERPC protocol, indicating a serious risk. For your information, Distributed Computing Environment / Remote Procedure Calls (DCERPC) is a networking protocol that enables programs on one computer to execute a procedure on another, allowing applications to access services running on remote machines as if they were local procedures. A malicious actor can trigger vulnerabilities in the vCenter Server by sending a crafted network packet, potentially leading to remote code execution.
Another vulnerability, CVE-2024-37081 with a 7.7 CVSS score, allows local users to gain full control of vCenter Server appliances. Known attack vectors involve a local user with non-administrative privileges exploiting these issues to elevate privileges to root on the vCenter Server Appliance. Matei Badanoiu from Deloitte Romaniafor reported these issues.
VMware claims these vulnerabilities have not been actively exploited. Still, the severity of these vulnerabilities cannot be overlooked considering that they can potentially be exploited remotely. This means that attackers don’t necessarily need physical access to the vCenter Server to launch an attack.
There could be severe consequences for organizations relying on VMware vCenter Server for virtual infrastructure management. The potential impacts include data compromise, disruption of operations, and lateral movement.
Broadcom recommends patching all vulnerable instances as there are no “viable” workarounds available. The security advisory emphasizes the importance of staying vigilant, implementing robust security practices, and promptly patching vulnerabilities to reduce the risk of a successful cyberattack.
Experts Comment
John Bambenek, President at Bambenek Consulting commented on the latest development highlighting the dangers of these security flaws. “VMWare is a popular target because it is a popular platform and with one exploit, I don’t just get one asset, I get all assets under management. More and more, infrastructure is virtualized and VMWare is the industry leader in on-prem virtualization. If I wanted to attack an organization with ransomware and shut them down quickly, I’d either target AD or target their hypervisor environment, John said.“
He further advised that “vCenter, and hypervisors generally, only need to be accessed by a few people. They should be isolated on administrative VLANs or have strong network access controls so only administrators can reach them. This means attackers would need to compromise those admins first before exploiting the vulnerability. At the very least, these interfaces should never be accessible from the open internet.“
RELATED TOPICS
- Firefox, Edge, Safari, Tesla & VMware pwned at Pwn2Own
- Backdoor Discovered in XZ Utils: Patch Your Systems Now
- Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain
- VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks
- Hackers Disclose Easily Exploitable Flaws in Microsoft Edge and VMware