Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

VMware by Broadcom warns of two critical vCenter flaws, plus a nasty sudo bug

Specially crafted network packet could allow remote code execution and access to VM fleets

Simon Sharwood Tue 18 Jun 2024  //  06:08 UTC

VMware by Broadcom has revealed a pair of critical-rated flaws in vCenter Server – the tool used to manage virtual machines and hosts in its flagship Cloud Foundation and vSphere suites.

Announced late on Monday night, Pacific Time, the critical-rated flaws are CVE-2024-37079 and CVE-2024-37080, both of which scored 9.8 on the ten-point Common Vulnerability Scoring System v3 scale.

VMware's security bulletin describes both of the flaws as "heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol" that mean "A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution."

DCE/RPC (which stands for Distributed Computing Environment/Remote Procedure Calls) is a means of calling a procedure on a remote machine as if it were a local machine – just the ticket when managing virtual machines.

However, the prospect of an attacker using the flaws to run code on vCenter Server and drive fleets of VMs and hosts is deeply unpleasant.

VMware has published a resource for its customers that states the Broadcom business unit "is not currently aware of exploitation 'in the wild'."

The good news is that patched versions of vCenter Server and Cloud Foundation are already available.

The bad news is that VMware hass not considered whether the flaws impact older versions of vSphere – meaning versions 6.5 and 6.7, which exited support in October 2022 but are still widely used, may be impacted but won't be fixed.

Further unwelcome news is that VMware also revealed a third flaw – CVE-2024-37081 – described as "local privilege escalation vulnerabilities due to misconfiguration of sudo." This one is rated important, with a score of 7.8, as it could mean "An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance."

The versions of vCenter Server and Coud Foundation affected by these flaws were released before Broadcom took over VMware – a tidbit we mention as some doomsayers have suggested job cuts at the virty giant could impact product quality.

VMware has tipped its hat to Matei "Mal" Badanoiu of Deloitte Romania for finding the flaws. ®
Send us news
8 Comments

VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time

If the first patches don't work, try, try again

Veeam tests support for another VMware alternative: XCP-NG

As Gartner rates the contenders for those contemplating a move off Virtzilla, with Nutanix on top of the list

VMware by Broadcom lifts storage allowances and prices for vSphere Foundation

This will both ease and exacerbate price concerns and competitive sniping

Windows Themes zero-day bug exposes users to NTLM credential theft

Plus a free micropatch until Redmond fixes the flaw

Emergency patch: Cisco fixes bug under exploit in brute-force attacks

Who doesn't love abusing buggy appliances, really?

Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch

Plus, a POC to make it extra easy for attackers

Wanted. Top infosec pros willing to defend Britain on shabby salaries

GCHQ job ads seek top talent with bottom-end pay packets

Just how private is Apple's Private Cloud Compute? You can test it to find out

Also updates bug bounty program with $1M payout

Five Eyes nations tell tech startups to take infosec seriously. Again

Only took 'em a year to dish up some scary travel advice, and a Secure Innovation … Placemat?

AT&T and Broadcom may settle VMware support case

Fresh filing sees Broadcom admit it discounts deeply – music to the ears of all Virtzilla users coming off contract

Sophos to snatch Secureworks in $859M buyout: Why fight when you can just buy?

Private equity giant Thoma Bravo adds another trophy to its growing collection

The billionaire behind Trump's 'unhackable' phone is on a mission to fight Tesla's FSD

Dan O'Dowd tells El Reg about the OS secrets and ongoing clash with Musk