The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in VMware’s software, which poses significant risks to federal systems. This flaw, designated as CVE-2024-37079, affects the centralized management utility of VMware’s vCenter Server, developed by Broadcom. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the potential for serious security breaches.
The exploit allows for remote code execution (RCE) or privilege escalation through specially crafted network packets. This vulnerability arises from a heap-overflow issue within the Distributed Computing Environment/Remote Procedure Calls (DCE/RPC), a framework enabling programs to call procedures on remote systems as though they were local. Notably, this vulnerability has received a critical Common Vulnerability Scoring System (CVSS) rating of 9.8.
Security Measures and Exploitation in the Wild
Broadcom responded to the discovery of this vulnerability by issuing patches for versions 7.0 and higher of vCenter Server in 2024. Despite these updates, CISA has reported instances of exploitation in the wild. The agency has stated that it remains unclear whether this vulnerability has been leveraged in any ransomware attacks to date.
This incident follows a recent security briefing from the National Security Agency (NSA) and CISA, which revealed another critical exploit affecting VMware vSphere. This particular breach enabled malicious actors to extract credentials by accessing cloned virtual machine (VM) snapshots and create rogue VMs using vCenter servers and the VMware ESXi hypervisor.
In a separate development earlier this month, another VMware exploitation campaign emerged. Attackers employed a custom exploit chain to escape from a VMware guest VM, executing malicious code directly on the ESXi hypervisor. Similar to the previous vulnerabilities discussed by the NSA, this guest-to-host exploit has been linked to threat actors operating from regions where Chinese is predominantly spoken.
As organizations continue to navigate the complexities of cybersecurity, the importance of timely updates and awareness of potential vulnerabilities cannot be overstated. The ongoing scrutiny of VMware’s software underscores the critical nature of maintaining robust security measures in an increasingly interconnected digital landscape.
