Security News > 2024 > June > Critical RCE flaws in vCenter Server fixed (CVE-2024-37079, CVE-2024-37080)
VMware by Broadcom has fixed two critical vulnerabilities affecting VMware vCenter Server and products that contain it: vSphere and Cloud Foundation.
"A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution," the company said, but noted that they are currently not aware of them being exploited "In the wild".
VMware vCenter Server is a popular server management solution for controlling vSphere environments.
At the same time, VMware has fixed several local privilege escalation vulnerabilities that may arise due to misconfiguration of sudo and may allow an authenticated local user with non-administrative privileges to elevate privileges to root on vCenter Server Appliance.
The three vulnerabilities have been privately reported by security researchers and affect vCenter Server versions 7.0 and 8.0, as well as Cloud Foundation versions 4.x and 5.x. Products that are past their End of General Support dates - i.e., vSphere 6.5 or 6.7 - "Are not evaluated as part of security advisories. If your organization has extended support please use those processes to request assistance," the company said in an acompanying FAQ document.
"Many appliances, such as the vCenter Server Appliance, have firewalling capabilities accessible through the Virtual Appliance Management Interface. This firewall can be used to help restrict access and potentially help mitigate vulnerabilities."
News URL
https://www.helpnetsecurity.com/2024/06/18/cve-2024-37079-cve-2024-37080/
Related news
- Broadcom fixes critical RCE bug in VMware vCenter Server (source)
- Critical VMware vCenter Server bugs fixed (CVE-2024-38812) (source)
- Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856) (source)
- Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986) (source)
- Critical GitHub Enterprise Server auth bypass flaw fixed (CVE-2024-6800) (source)
- Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195) (source)
- Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 (source)
- Critical Progress WhatsUp RCE flaw now under active exploitation (source)
- Cisco warns of critical RCE zero-days in end of life IP phones (source)
- Critical 1Password flaws may allow hackers to snatch your passwords (CVE-2024-42219, CVE-2024-42218) (source)