VMware is urging customers to apply patches for two critical vulnerabilities in its vCenter Server centralized management utility, which if exploited could allow remote code execution.
The heap overflow flaws (CVE-2024-37079 and CVE-2024-37080) exist in the vCenter Server’s implementation of the DCE/RPC protocol, which enables remote procedure calls. VMware said it is not aware of current exploitation of the bugs in the wild, but vCenter Server is a product that has previously been targeted by threat actors. The two flaws have a base score of 9.8 on the CVSSv3 severity scale.
“A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution,” according to VMware’s security update on Monday.
The two flaws were reported to VMware by Hao Zheng and Zibo Li from TianGong Team of Legendsec at Qi'anxin Group.
VMware urged customers to install the patches listed in its security advisory, noting that products that contain vCenter Server, including vSphere and Cloud Foundation, are also impacted.
VMware said that no mitigations are available, however, “there may be other mitigations and compensating controls available in your organization, depending on your security posture, defense-in-depth strategies, and configurations of perimeter firewalls and appliance firewalls. All organizations must decide for themselves whether to rely on those protections.”
VMware also issued a fix for important-severity local privilege escalation bugs (tied to CVE-2024-37081) in vCenter. VMware said that attackers with non-administrative privileges could exploit the bugs to elevate privileges to root on a vCenter Server Appliance - but they would need to be authenticated and local, making the flaws slightly less severe.
Critical flaws have previously been found in VMware’s vCenter Server, which aims to help users manage virtual machines, ESXi hosts, and other components from a centralized location. Vulnerabilities in this server management software have also been targeted by threat actors. Earlier this year, researchers found that a Chinese threat group had exploited a critical vCenter Server remote code execution flaw for almost two years before patches were released in October 2023.