VMware vCenter RCE Vulnerability: What You Need to Know

VMware, the virtualization technology giant owned by Broadcom, has recently released a security advisory addressing several critical vulnerabilities discovered in its vCenter Server application. Read on to learn more. 

Tell me more about VMware vCenter RCE vulnerability 

If left unpatched, these vulnerabilities could allow malicious actors to execute remote code or escalate privileges on affected systems. As vCenter Server serves as a central management platform for VMware vSphere, enabling the management of virtual machines and ESXi hosts, it is crucial for organizations using this software to take immediate action to mitigate the risks associated with these vulnerabilities.  

The security advisory issued by VMware details three critical vulnerabilities that impact vCenter Server: 

1. CVE-2024-37079: This vulnerability is a heap overflow flaw in the DCERPC protocol implementation of vCenter Server. By sending specially crafted packets, an attacker with network access could potentially exploit this vulnerability to execute remote code on the targeted system. The vulnerability has been assigned a CVSS v3.1 score of 9.8, indicating its critical severity. 
2. CVE-2024-37080: Similar to CVE-2024-37079, this vulnerability is another heap overflow issue in the DCERPC protocol of vCenter Server. An attacker with network access could send crafted packets to exploit the heap overflow, potentially leading to remote code execution. This vulnerability also has a CVSS v3.1 score of 9.8, emphasizing its critical nature. 
3. CVE-2024-37081: This vulnerability stems from a misconfiguration of sudo in vCenter Server. By exploiting this flaw, an authenticated local user could elevate their privileges to root on the vCenter Server Appliance. The vulnerability has a CVSS v3.1 score of 7.8, considered “high” severity. 

The affected versions of VMware software include vCenter Server versions 7.0 and 8.0, as well as VMware Cloud Foundation versions 4.x and 5.x. VMware has released fixes for vCenter versions 8.0 and 7.0, and asynchronous patches are available for Cloud Foundation versions 5.x and 4.x. However, it is important to note that vSphere versions that have reached End of General Support, such as vSphere 6.5 and 6.7, have not been assessed for these vulnerabilities and will not receive updates. 

According to VMware’s FAQ page, there have been no reports of active exploitation of these vulnerabilities in the wild at the time of writing. 

What is Nuspire doing? 

Nuspire is proactively addressing the VMware vCenter Server vulnerabilities by applying patches as soon as they are released, following vendor recommendations. Additionally, Nuspire is actively conducting threat hunting exercises to identify any indications of compromise within their clients’ environments.  

What should I do? 

Organizations using VMware vCenter Server to manage vSphere environments or as part of Cloud Foundation should prioritize patching their systems promptly. Applying the available patches significantly reduces exposure to potential cyberattacks and minimizes the risk of compromise. Ensuring all affected systems are updated to the latest patched versions is essential for maintaining a secure infrastructure. 

Beyond patching these specific vulnerabilities, organizations should implement a comprehensive vulnerability management program. This includes consistent vulnerability scanning, assessment, prioritizing patches based on risk severity, and establishing a well-defined patch management process. Regular monitoring for new vulnerabilities is also crucial. By proactively identifying and addressing vulnerabilities across their IT infrastructure, organizations can greatly reduce their attack surface and strengthen their overall cybersecurity posture.