VMware has released urgent security updates to address multiple critical vulnerabilities affecting VMware vCenter Server and VMware Cloud Foundation products.
The flaws, rated as critical with severity scores ranging from 7.8 to 9.8 out of 10, could allow remote code execution and privilege escalation attacks.
The virtualization and cloud computing giant published the security advisory VMSA-2024-0012 on Tuesday, detailing the newly patched vulnerabilities and providing guidance for impacted users and administrators.
The most severe issues are two heap-overflow vulnerabilities in the vCenter Server implementation of the DCERPC protocol, tracked as CVE-2024-37079 and CVE-2024-37080. These flaws have a CVSS score of 9.8 out of 10.
"A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution," VMware warned in the advisory.
Remote code execution is one of the most dire internet threats, as it could allow an attacker to run malicious code and gain full control over a vulnerable system.
To remediate these DCERPC heap-overflow bugs, VMware has released updated versions of vCenter Server 8.0 Update 2d, vCenter Server 8.0 Update 1e, and vCenter Server 7.0 Update 3r. Organizations running impacted vCenter Server or Cloud Foundation deployments should update immediately.
Additionally, VMware patched a set of local privilege escalation vulnerabilities in the vCenter Server (CVE-2024-37081) caused by insecure sudo configurations. This flaw has a severity rating of 7.8 and could allow an authenticated user to gain root-level access on the vCenter Server Appliance.
VMware credits security researchers Hao Zheng, Zibo Li from Legendsec at Qi'anxin Group, and Matei "Mal" Badanoiu from Deloitte Romania for responsibly reporting the vulnerabilities.
Administrators should investigate their VMware deployments and apply the latest updates to mitigate potential threats.