Black Arrow Cyber Advisory 19 June 2024 – Critical VMware vCenter Remote Code Execution and Privilege Escalation Vulnerability
Executive summary
Broadcom have released patches addressing three vulnerabilities affecting VMware vCenter. Two of the vulnerabilities are critical severity, allowing remote code execution (CVE-2024-37079 and CVE-2024-37080) the other which allows an attacker to gain admin privileges (CVE-2024-37081).
What’s the risk to me or my business?
If the vulnerabilities are successfully exploited this will allow an attacker to perform arbitrary remote code execution, and the other will allow a local authenticated user to gain admin privileges. All of the vulnerabilities if exploited could have a high impact on the confidentiality, integrity and availability of the organisations data on affected systems.
What can I do?
There is no evidence that the vulnerabilities are being exploited in the wild, however Black Arrow recommends applying the available patches for the vulnerability as soon as possible, further information can be found in the Broadcast advisory below.
Technical Summary
CVE-2024-37039 and CVE-2024-37080 – vCenter Server contains a heap-overflow vulnerability in the Distributed Computing Environment/Remote Procedure Call (DCERPC) protocol. These vulnerabilities allow an attacker to potentially perform arbitrary remote code execution by sending specially crafted network packets.
CVE-2024-37081 – vCenter contains multi local privilege escalation vulnerabilities due to misconfigurations of sudo. This allows an authenticated local user with non-administrative privileges to elevate to root (admin) privileges on vCenter Server Appliance.
Further information on the VMware advisory can be found here:
https://core.vmware.com/resource/vmsa-2024-0012-questions-answers#introduction
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity