VMware by Broadcom has disclosed two critical vulnerabilities in vCenter Server, a key component for managing VMs on the Cloud Foundation and vSphere platforms. Although VMware has already released patches, these do not cover older vSphere versions 6.5 and 6.7, though these are still widely used.
The heap overflow vulnerabilities, known as CVE-2024-37079 and CVE-2024-37080, allow hackers to execute code remotely on vCenter Server. This is possible when implementing the DCERPC protocol. According to the Common Vulnerability Scoring System (CVSS), both scored 9.8, indicating a serious risk. However, VMware stated in a Q&A article that the vulnerabilities have not been actively exploited.
Privilege escalation
Another vulnerability involves a privilege escalation (CVE-2024-37081), potentially allowing a local user to gain full control of vCenter Server appliances. This one has a score of 7.8, but nevertheless poses a significant security risk. A patch is also available for this vulnerability, as for the two critical vulnerabilities. Documentation can be found in VMware’s security advisory VMSA-2024-0012, which can be found here.
However, users of the older vSphere 6.5 and 6.7 versions are out of luck, as these won’t get fixes. This is unsurprising, because despite these versions still being in frequent use, according to The Register, official support for them has already ended since October 2022.
Also read: Vulnerability in Asus routers allows remote takeover by hackers