VMware vCenter Server Patches Heap Overflow and Privilege Escalation Vulnerabilities

• VMware has released updates that address critical and important vulnerabilities affecting Cloud Foundation and vCenter Server.
• These flaws could be exploited for privilege escalation and remote code execution.
• Two were marked as ‘critical,’ and one marked as ‘important’ was due to the misconfiguration of sudo.

VMware vCenter Server released updates (VMSA-2024-0012) to address critical heap overflow and privilege escalation vulnerabilities that impact ‘VMware vCenter Server’ and ‘Cloud Foundation.’ The Common Vulnerabilities and Exposures (CVE) codes for these flaws are  CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081.

These three issues affect ‘vCenter Server’ versions 7.0 and 8.0, and all have been addressed in versions 7.0 U3r, 8.0 U1e, and 8.0 U2d.

‘vCenter Server’ contains multiple critical heap overflow vulnerabilities in the implementation of the DCERPC protocol (CVE-2024-37079, CVE-2024-37080) that can be potentially exploited for remote code execution by threat actors who send malicious network packets.

The local privilege escalation vulnerabilities (CVE-2024-37081) of ‘vCenter Server’ are due to the misconfiguration of sudo. An authenticated local user with non-administrative privileges may abuse these flaws to gain root privileges on 'vCenter Server Appliance.'

CVE-2024-37079 and CVE-2024-37080 were reported by Hao Zheng and Zibo Li from the TianGong Team of Legendsec at Qi'anxin Group, while Matei "Mal" Badanoiu from Deloitte Romania spotted CVE-2024-37081.

These updates come after the cybercriminal gang UNC3944 was seen running virtual machines inside victims’ infrastructure. They deployed an aggressive persistence method by accessing vSphere and Azure using stolen credentials on single sign-on (SSO) apps to create new virtual machines (VMs). They also used exposed login details to access apps like vCenter, CyberArk, SalesForce, Azure, CrowdStrike, GCP, and Amazon Web Services (AWS).