======================================================================

                               CERT-Renater

                     Note d'Information No. 2024/VULN294
_____________________________________________________________________

DATE                : 25/06/2024

HARDWARE PLATFORM(S): /
      OPERATING SYSTEM(S): Systems running VMware ESXi, vCenter Server,
                                   VMware Cloud Foundation.

=====================================================================
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
_____________________________________________________________________

VMSA-2024-0013:VMware ESXi and vCenter Server updates address
multiple security vulnerabilities (CVE-2024-37085, CVE-2024-37086,
CVE-2024-37087)


Product/Component

VMware Cloud Foundation
VMware vCenter Server
VMware vSphere ESXi

Notification Id
24505

Last Updated
25 June 2024

Initial Publication Date
25 June 2024

Status
CLOSED

Severity
MEDIUM

CVSS Base Score
5.3-6.8

WorkAround

Affected CVE

CVE-2024-37085, CVE-2024-37086, CVE-2024-37087

  Advisory ID:  	VMSA-2024-0013
Advisory Severity: 	Moderate
CVSSv3 Range: 	5.3-6.8
Synopsis: 	VMware ESXi and vCenter Server updates address
                 multiple vulnerabilities (CVE-2024-37085,
                  CVE-2024-37086, CVE-2024-37087)
Issue date: 	2024-06-25
Updated on: 	2024-06-25 (Initial Advisory)
CVE(s) 	CVE-2024-37085, CVE-2024-37086, CVE-2024-37087)

  1. Impacted Products

     VMware ESXi
     VMware vCenter Server
     VMware Cloud Foundation

2. Introduction

Multiple vulnerabilities in ESXi and vCenter Server were responsibly
reported to VMware. Updates are available to remediate these
vulnerabilities in affected VMware products.

3a. VMware ESXi Active Directory Integration Authentication Bypass
(CVE-2024-37085)
Description:
VMware ESXi contains an authentication bypass vulnerability. VMware
has evaluated the severity of this issue to be in the Moderate
severity range with a maximum CVSSv3 base score of 6.8..


Known Attack Vectors:
A malicious actor with sufficient Active Directory (AD) permissions
can gain full access to an ESXi host that was previously configured
to use AD for user management by re-creating the configured AD group
('ESXi Admins' by default) after it was deleted from AD.

Resolution:
To remediate CVE-2024-37085 apply the updates listed in the
'Fixed Version' column of the 'Response Matrix' below to
affected deployments.

Workarounds:
In-product workarounds for CVE-2024-37085 can be found in the
'Workaround' column of the 'Response Matrix' below

Additional Documentation:
None.

Acknowledgments:
VMware would like to thank Edan Zwick, Danielle Kuznets Nohi, and
Meitar Pinto of Microsoft for reporting this issue to us.

Notes:
None.

Response Matrix:
VMware Product    Version    Running On    CVE    CVSSv3    Severity 
Fixed Version    Workarounds    Additional Documentation

ESXi  	8.0 	Any 	CVE-2024-37085 	6.8 	Moderate ESXi80U3-24022510 
KB369707 	None

ESXi  	7.0 	Any 	CVE-2024-37085 	6.8 	Moderate
No Patch Planned 	KB369707 	None

VMware Cloud Foundation 	5.x 	Any 	CVE-2024-37085 	6.8 Moderate 	Patch 
Pending 	KB369707 	None

VMware Cloud Foundation 	4.x 	Any 	CVE-2024-37085 	6.8 Moderate 	No 
Patch Planned 	KB369707 	None

  3b. VMware ESXi out-of-bounds read vulnerability (CVE-2024-37086)
Description:
VMware ESXi contains an out-of-bounds read vulnerability. VMware has
evaluated the severity of these issues to be in the Moderate
severity range with a maximum CVSSv3 base score of 6.8.

Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual
machine with an existing snapshot may trigger an out-of-bounds read
leading to a denial-of-service condition of the host.

Resolution:
To remediate CVE-2024-37086 apply the updates listed in the 'Fixed
Version' column of the 'Response Matrix' below to affected
deployments.

Workarounds:
None.

Additional Documentation:
None.

Acknowledgments:
VMware would like to thank Hao Zheng (@zhz) and Jiaqing Huang
(@s0duku) From TianGong Team of Legendsec at Qi'anxin Group for
reporting this issue to us.

Notes:
None.

Response Matrix:
VMware Product 	Version    Running On 	CVE 	CVSSv3   Severity
Fixed Version     Workarounds    Additional Documentation

ESXi  	8.0 	Any 	CVE-2024-37085 	6.8 	Moderate ESXi80U3-24022510 	None 	None

ESXi  	7.0 	Any 	CVE-2024-37085 	6.8 	Moderate ESXi70U3sq-23794019 	None 
	None

VMware Cloud Foundation 	5.x 	Any 	CVE-2024-37085 6.8 	Moderate 	Patch 
Pending 	None 	None

VMware Cloud Foundation 	4.x 	Any 	CVE-2024-37085 	6.8 Moderate 	Async 
patch to ESXi 7.0 U3q 	None Async Patching Guide: KB88287

  3c. VMware vCenter denial-of-service vulnerability (CVE-2024-37087) 
_____________________________________________________________________
Description:
The vCenter Server contains a denial-of-service vulnerability. VMware
has evaluated the severity of this issue to be in the Moderate
severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors:
A malicious actor with network access to vCenter Server may create a
denial-of-service condition.

Resolution:
To remediate CVE-2024-37087 apply the updates listed in the 'Fixed
Version' column of the 'Response Matrix' below to affected
deployments.

Workarounds:
None.

Additional Documentation:
None.

Acknowledgments:
VMware would like to thank Guy Lederfein of Trend Micro for reporting
this issue to us.

Notes:
[1] vCenter Server 7.0 version (7.0 U3q) mentioned in the response
matrix is the first to address this issue but not the latest. The
recommendation is to consume the latest version i.e.
vCenter Server 7.0 U3r to resolve Critical severity vulnerabilities
documented in VMSA-2024-0012.
_____________________________________________________________________
Response Matrix:
VMware Product 	Version    Running On 	CVE    CVSSv3    Severity
Fixed Version 	Workarounds 	Additional Documentation

vCenter Server  	8.0 	Any 	CVE-2024-37087 	5.3 Moderate 	8.0 U3 	None 	None

vCenter Server   	7.0 	Any 	CVE-2024-37087 	5.3 Moderate 	7.0 U3q [1] 
None 	None

VMware Cloud Foundation 	5.x 	Any 	CVE-2024-37087 	5.3
Moderate 	Patch Pending 	None 	None

VMware Cloud Foundation 	4.x 	Any 	CVE-2024-37087 	5.3
Moderate 	Async patch to 7.0 U3q [1] 	None Async Patching Guide: KB88287

  4. References:

Fixed Version(s) and Release Notes:

VMware ESXi 8.0 U3
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?displayGroup=VMware%20vSphere%20-%20Standard&release=8.0&os=&servicePk=202631&language=EN&groupId=204419
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-803-release-notes/index.html

VMware ESXi 7.0 ESXi70U3sq-23794019
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5330
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3q-release-notes/index.html

VMware vCenter Server 8.0 U3
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20vCenter%20Server&displayGroup=VMware%20vCenter%20Server%208.x&release=8.0U3&os=&servicePk=520490&language=EN
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-803-release-notes/index.html

VMware vCenter Server 7.0 U3q
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5329
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3q-release-notes/index.html

KB Articles:
Cloud Foundation 5.x/4.x:
https://knowledge.broadcom.com/external/article?legacyId=88287

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37087

FIRST CVSSv3 Calculator:
CVE-2024-37085: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE-2024-37086: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVE-2024-37087: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L


5. Change Log:

2024-06-25 VMSA-2024-0013
Initial security advisory.


6. Contact:

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2024 Broadcom All rights reserved.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================