Critical VMware Bugs Open Swaths of VMs to RCE, Data Theft

Broadcom has released fixes for three vulnerabilities affecting VMware vCenter, two of which are of critical severity and allow remote code execution (RCE). The disclosures come as virtual machines (VMs) continue to attract the notice of hackers, thanks to the rich repositories of sensitive data and applications they tend to house. Patching immediately is a good idea.

vCenter is the centralized management console for VMware virtual environments, and is used to view and manage VMs, multiple ESXi hosts, and all dependent components from a single centralized location. CVE-2024-37079 and CVE-2024-37080 are heap overflow vulnerabilities in vCenter's implementation of DCERPC — short for Distributed Computing Environment/Remote Procedure Call — used for calling a function on a remote machine as if it were a local one.

DCERPC is useful for engaging with remote machines, especially if you're a remote hacker. Using a specially crafted network packet, an attacker with network access can take advantage of these vulnerabilities to remotely execute their own code on VMs managed by vCenter. The potential for harm has earned both vulnerabilities critical 9.8 out of 10 scores on the CVSS scale.

Broadcom also patched a number of local privilege escalation vulnerabilities resulting from a misconfiguration of sudo within vCenter. Short for "superuser do" or "substitute user do," sudo allows users in Unix systems to run commands with the privileges of another user — at the root level by default. An authenticated local user can take advantage of the bug labeled CVE-2024-37081 to obtain administrative privileges on a vCenter Server appliance. It has been assigned a high CVSS score of 7.8.

As yet, there is no evidence that any of these three vulnerabilities have been exploited in the wild — though that could quickly change. Remediations can be found here, and an accompanying Q&A page here.

The Risk in Cloud VMs

According to its own documentation, VMware sports more than 400,000 customers, including 100% of all Fortune 500 and Fortune Global 100 companies. Its technology supports more than 80% of virtualized workloads and a good chunk of business critical applications.

"The increasing popularity of cloud computing has led to a corresponding surge in VM usage, consolidating multiple applications onto a single physical server," explains Patrick Tiquet, vice president of security and architecture at Keeper Security. "This consolidation not only enhances operational efficiency but also presents attackers with the opportunity to compromise a variety of services through a single breach."

vCenter Server epitomizes this risk. As the centralized management software supporting the VMWare vSphere and Cloud Foundation platforms, it provides a launch point for both IT administrators and hackers to reach many VMs running across organizations.

"Successful breaches not only disrupt services and dole out financial losses, but can also lead to the exposure of sensitive data and violations of regulatory requirements, severely damaging an organization’s reputation," Tiquet warns, so patching new vulnerabilities as they crop up is both necessary and insufficient for organizations to be at ease.

Besides network segmentation, vulnerability audits, and other security hardening tactics like incident response planning and maintaining robust backups, he says, it's the job of network administrators to lead from the front: "Administrators should always ensure they’re using a secure vault and secrets management solution, they must apply necessary updates as soon as possible, and they should also check their cloud console’s security controls to ensure they’re following the latest recommendations."