Security News > 2024 > June > Critical RCE flaws in vCenter Server fixed (CVE-2024-37079, CVE-2024-37080)
VMware by Broadcom has fixed two critical vulnerabilities affecting VMware vCenter Server and products that contain it: vSphere and Cloud Foundation.
"A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution," the company said, but noted that they are currently not aware of them being exploited "In the wild".
VMware vCenter Server is a popular server management solution for controlling vSphere environments.
At the same time, VMware has fixed several local privilege escalation vulnerabilities that may arise due to misconfiguration of sudo and may allow an authenticated local user with non-administrative privileges to elevate privileges to root on vCenter Server Appliance.
The three vulnerabilities have been privately reported by security researchers and affect vCenter Server versions 7.0 and 8.0, as well as Cloud Foundation versions 4.x and 5.x. Products that are past their End of General Support dates - i.e., vSphere 6.5 or 6.7 - "Are not evaluated as part of security advisories. If your organization has extended support please use those processes to request assistance," the company said in an acompanying FAQ document.
"Many appliances, such as the vCenter Server Appliance, have firewalling capabilities accessible through the Virtual Appliance Management Interface. This firewall can be used to help restrict access and potentially help mitigate vulnerabilities."
News URL
https://www.helpnetsecurity.com/2024/06/18/cve-2024-37079-cve-2024-37080/
Related news
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910) (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers (source)