======================================================================

                                CERT-Renater

                    Note d'Information No. 2024/VULN286
_____________________________________________________________________

DATE                : 19/06/2024

HARDWARE PLATFORM(S): /
     OPERATING SYSTEM(S): Systems running VMware Cloud Foundation,
    VMware vCenter Server versions prior to 8.0 U2d, 8.0 U1e, 7.0 U3r.

=====================================================================
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
_____________________________________________________________________


VMSA-2024-0012:VMware vCenter Server updates address heap-overflow
and privilege escalation vulnerabilities (CVE-2024-37079,
CVE-2024-37080, CVE-2024-37081)

Product/Component

VMware Cloud Foundation
VMware vCenter Server
Notification Id
24453

Last Updated
18 June 2024

Initial Publication Date
18 June 2024

Status
CLOSED

Severity
CRITICAL

CVSS Base Score
7.8-9.8

WorkAround

Affected CVE
CVE-2024-37079, CVE-2024-37080, CVE-2024-37081


Advisory ID:  	VMSA-2024-0012
Severity: 	Critical

CVSSv3 Range: 	7.8-9.8
Synopsis: 	VMware vCenter Server updates address heap-overflow
                  and privilege escalation vulnerabilities
                    (CVE-2024-37079, CVE-2024-37080, CVE-2024-37081)
Issue date: 	2024-06-17
Updated on: 	2024-06-17 (Initial Advisory)
CVE(s) 	CVE-2024-37079, CVE-2024-37080, CVE-2024-37081

  1. Impacted Products

     VMware vCenter Server
     VMware Cloud Foundation


2. Introduction

Multiple heap-overflow and privilege escalation vulnerabilities in
vCenter Server were responsibly reported to VMware. Updates are
available to remediate these vulnerabilities in affected VMware
products.

3a. VMware vCenter Server multiple heap-overflow vulnerabilities
(CVE-2024-37079, CVE-2024-37080)

Description:
The vCenter Server contains multiple heap-overflow vulnerabilities in
the implementation of the DCERPC protocol. VMware has evaluated the
severity of these issues to be in the Critical severity range with
a maximum CVSSv3 base score of 9.8.

Known Attack Vectors:
A malicious actor with network access to vCenter Server may trigger
these vulnerabilities by sending a specially crafted network packet
potentially leading to remote code execution.

Resolution:
To remediate CVE-2024-37079, and CVE-2024-37080 apply the updates
listed in the 'Fixed Version' column of the 'Response Matrix' below
to affected deployments.

Workarounds:
In-product workarounds were investigated, but were determined to not
be viable.

Additional Documentation:
A supplemental FAQ was created for additional clarification. Please
see: https://core.vmware.com/resource/vmsa-2024-0012-questions-answers

Acknowledgments:
VMware would like to thank Hao Zheng (@zhz) and Zibo Li (@zbleet)
from TianGong Team of Legendsec at Qi'anxin Group for reporting these
issues to us.

Notes:
None.

3b. VMware vCenter multiple local privilege escalation vulnerabilities
(CVE-2024-37081)
Description:
The vCenter Server contains multiple local privilege escalation
vulnerabilities due to misconfiguration of sudo. VMware has evaluated
the severity of this issue to be in the Important severity range with
a maximum CVSSv3 base score of 7.8.

Known Attack Vectors:
An authenticated local user with non-administrative privileges may
exploit these issues to elevate privileges to root on vCenter Server
Appliance.

Resolution:
To remediate CVE-2024-37081 apply the updates listed in the 'Fixed
Version' column of the 'Response Matrix' below to affected
deployments.

Workarounds:
None.

Additional Documentation:
None.

Acknowledgments:
VMware would like to thank Matei "Mal" Badanoiu @ Deloitte Romania
for reporting these issues to us.

Notes:
None.


Response Matrix:

VMware Product   Version     Running On    CVE    CVSSv3    Severity
Fixed Version     Workarounds     Additional Documentation

vCenter Server    8.0    Any     CVE-2024-37079, CVE-2024-37080,
CVE-2024-37081    9.8, 9.8, 7.8 	Critical 	8.0 U2d None 	FAQ

vCenter Server    8.0    Any    CVE-2024-37079, CVE-2024-37080
9.8, 9.8 	Critical 	8.0 U1e 	None 	FAQ

vCenter Server 	7.0    Any    CVE-2024-37079, CVE-2024-37080,
CVE-2024-37081    9.8, 9.8, 7.8    Critical    7.0 U3r 	None
FAQ


Impacted Product Suites that Deploy Response Matrix 3a and 3b
Components:

VMware Product    Version    Running On    CVE    CVSSv3   Severity
Fixed Version 	Workarounds 	Additional Documentation

Cloud Foundation (vCenter Server)    5.x    Any    CVE-2024-37079,
CVE-2024-37080, CVE-2024-37081    9.8, 9.8, 7.8    Critical KB88287 
None 	FAQ

Cloud Foundation (vCenter Server)    4.x     Any    CVE-2024-37079,
CVE-2024-37080, CVE-2024-37081    9.8, 9.8, 7.8     Critical KB88287 
None 	FAQ


4. References:

Fixed Version(s) and Release Notes:

VMware vCenter Server 8.0 U2d
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5418
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u2d-release-notes/index.html

VMware vCenter Server 8.0 U1e
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5419
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u1e-release-notes/index.html

VMware vCenter Server 7.0 U3r
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5417
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3r-release-notes/index.html

KB Articles:
Cloud Foundation 5.x/4.x:
https://knowledge.broadcom.com/external/article?legacyId=88287

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37081

FIRST CVSSv3 Calculator:
CVE-2024-37079: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-37080: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-37081: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


5. Change Log:

2024-06-17 VMSA-2024-0012
Initial security advisory.

6. Contact:

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2024 Broadcom All rights reserved.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================