Letting Your Employees Work from Home Can Create These Cybersecurity Vulnerabilities
Last updated September 23, 2021
VMware vCenter Server released updates (VMSA-2024-0012) to address critical heap overflow and privilege escalation vulnerabilities that impact ‘VMware vCenter Server’ and ‘Cloud Foundation.’ The Common Vulnerabilities and Exposures (CVE) codes for these flaws are CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081.
These three issues affect ‘vCenter Server’ versions 7.0 and 8.0, and all have been addressed in versions 7.0 U3r, 8.0 U1e, and 8.0 U2d.
‘vCenter Server’ contains multiple critical heap overflow vulnerabilities in the implementation of the DCERPC protocol (CVE-2024-37079, CVE-2024-37080) that can be potentially exploited for remote code execution by threat actors who send malicious network packets.
The local privilege escalation vulnerabilities (CVE-2024-37081) of ‘vCenter Server’ are due to the misconfiguration of sudo. An authenticated local user with non-administrative privileges may abuse these flaws to gain root privileges on 'vCenter Server Appliance.'
CVE-2024-37079 and CVE-2024-37080 were reported by Hao Zheng and Zibo Li from the TianGong Team of Legendsec at Qi'anxin Group, while Matei "Mal" Badanoiu from Deloitte Romania spotted CVE-2024-37081.
These updates come after the cybercriminal gang UNC3944 was seen running virtual machines inside victims’ infrastructure. They deployed an aggressive persistence method by accessing vSphere and Azure using stolen credentials on single sign-on (SSO) apps to create new virtual machines (VMs). They also used exposed login details to access apps like vCenter, CyberArk, SalesForce, Azure, CrowdStrike, GCP, and Amazon Web Services (AWS).