June 18, 2024 at 02:11AM
Critical-rated flaws (CVE-2024-37079 & CVE-2024-37080) in vCenter Server by VMware/Broadcom pose remote code execution risk. The heap-overflow vulnerabilities in DCE/RPC protocol could be exploited by a network-based attacker. Despite no known in-the-wild exploitation, older vSphere versions 6.5 and 6.7 lack fixes. Additionally, an important-rated privilege escalation flaw (CVE-2024-37081) is present. Fixed versions available.
Summary of Meeting Notes:
1. Two critical-rated flaws in vCenter Server have been revealed by Broadcom, now owned by VMware.
– Flaws are CVE-2024-37079 and CVE-2024-37080, both scored 9.8 on the Common Vulnerability Scoring System v3 scale.
– Described as “heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol” potentially leading to remote code execution.
2. Patched versions of vCenter Server and Cloud Foundation are already available.
3. Older versions of vSphere (6.5 and 6.7) may be impacted by the flaws but won’t be fixed as they are out of support.
4. Third flaw, CVE-2024-37081, is a local privilege escalation vulnerability.
– Rated important with a score of 7.8.
5. Versions of vCenter Server and Cloud Foundation affected by these flaws were released before Broadcom’s ownership of VMware.
6. Broadcomm is not currently aware of exploitation ‘in the wild’.
7. Matei “Mal” Badanoiu of Deloitte Romania is credited for finding the flaws.
Please let me know if you need further details or have any questions.