This advisory is for organizations that use VMware vCenter Server and Cloud Foundation. If your organization does not use this platform, this notification may be discarded.
Summary
VMWare has released updated versions of their VMware vCenter Server and VMware Cloud foundation platforms to address critical vulnerabilities which may allow an attacker to conduct heap overflow and/or local privilege escalation attacks.
CVE-2024-37079: CVSSv3.1: 9.8
A heap-overflow vulnerability in the DCERPC protocol implementation of vCenter Server that allows a malicious actor with network access to send specially crafted packets, potentially leading to remote code execution.
CVE-2024-37080: CVSSv3.1: 9.8
Another heap overflow vulnerability in the DCERPC protocol of vCenter Server. Similar to CVE-2024-37079, it allows an attacker with network access to exploit heap overflow by sending crafted packets, potentially resulting in remote code execution.
CVE-2024-37081: CVSS 7.8
This vulnerability arises from a misconfiguration of sudo in vCenter Server, permitting an authenticated local user to exploit this flaw to elevate their privileges to root on the vCenter Server Appliance.
Affected Platforms
VMware vCenter Server 8.0 < 8.0 U2d
VMware vCenter Server 8.0 < 8.0 U1e
VMware vCenter Server 7.0 < 7.0 U3r
VMware Cloud Foundation (vCenter Server) 5 < KB88287
VMware Cloud Foundation (vCenter Server) 4 < KB88287
Mitigations
vCenter Server 8.0 -> 8.0 U2d
vCenter Server 8.0 -> 8.0 U1e
vCenter Server 7.0 -> 7.0 U3r
Cloud Foundation 5.x & 4.x -> KB88287
Additional Resources
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
https://core.vmware.com/resource/vmsa-2024-0012-questions-answers#next-expected-update
https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-vcenter-rce-vulnerability-patch-now/
