Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

VMware by Broadcom warns of two critical vCenter flaws, plus a nasty sudo bug

Specially crafted network packet could allow remote code execution and access to VM fleets

Simon Sharwood Tue 18 Jun 2024  //  06:08 UTC

VMware by Broadcom has revealed a pair of critical-rated flaws in vCenter Server – the tool used to manage virtual machines and hosts in its flagship Cloud Foundation and vSphere suites.

Announced late on Monday night, Pacific Time, the critical-rated flaws are CVE-2024-37079 and CVE-2024-37080, both of which scored 9.8 on the ten-point Common Vulnerability Scoring System v3 scale.

VMware's security bulletin describes both of the flaws as "heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol" that mean "A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution."

DCE/RPC (which stands for Distributed Computing Environment/Remote Procedure Calls) is a means of calling a procedure on a remote machine as if it were a local machine – just the ticket when managing virtual machines.

However, the prospect of an attacker using the flaws to run code on vCenter Server and drive fleets of VMs and hosts is deeply unpleasant.

VMware has published a resource for its customers that states the Broadcom business unit "is not currently aware of exploitation 'in the wild'."

The good news is that patched versions of vCenter Server and Cloud Foundation are already available.

The bad news is that VMware hass not considered whether the flaws impact older versions of vSphere – meaning versions 6.5 and 6.7, which exited support in October 2022 but are still widely used, may be impacted but won't be fixed.

Further unwelcome news is that VMware also revealed a third flaw – CVE-2024-37081 – described as "local privilege escalation vulnerabilities due to misconfiguration of sudo." This one is rated important, with a score of 7.8, as it could mean "An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance."

The versions of vCenter Server and Coud Foundation affected by these flaws were released before Broadcom took over VMware – a tidbit we mention as some doomsayers have suggested job cuts at the virty giant could impact product quality.

VMware has tipped its hat to Matei "Mal" Badanoiu of Deloitte Romania for finding the flaws. ®
Send us news
8 Comments

Ingram Micro to 'stop doing business' with Broadcom, downgrade to 'limited engagement' on VMware

Distributor couldn't do a deal that delivered 'appropriate shareholder return', chip giant says it 'continues to refine' its channel

Broadcom says VMware is a better money-making machine than it hoped

Chip side of the biz expects to take lion's share of hyperscalers' $60-90 billion XPU spend in 2027, helped by 3nm models coming next year

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

BlackBerry offloads Cylance's endpoint security products to Arctic Wolf

Fresh attempt to mix the perfect cocktail of IoT and Infosec

US reportedly mulls TP-Link router ban over national security risk

It could end up like Huawei -Trump's gonna get ya, get ya, get ya

Microsoft won't let customers opt out of passkey push

Enrollment invitations will continue until security improves

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Australia moves to drop some cryptography by 2030 – before quantum carves it up

The likes of SHA-256, RSA, ECDSA and ECDH won't be welcome in just five years

Broadcom makes U-turn on plan to serve top 2,000 VMware customers itself

Now wants to work with 500 and lean more on partners to defend against migrations – which Dell says are on the cards

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns