On 17 June 2024, VMware disclosed two critical vulnerabilities (CVE-2024-37079 & CVE-2024-37080) affecting vCenter Server and Cloud Foundation. These vulnerabilities stem from a heap-overflow issue in the implementation of the DCERPC protocol which can be exploited by remote threat actors. By sending specially crafted network packets, threat actors could exploit CVE-2024-37079 and CVE-2024-37080 to achieve Remote Code Execution (RCE) on both vCenter Server and Cloud Foundation systems.
Both vulnerabilities were responsibly reported to VMware by security researchers. Arctic Wolf has not identified any publicly available proof of concept (PoC) exploits for these vulnerabilities. Furthermore, VMware has confirmed that there have been no observed exploits of CVE-2024-37079 and CVE-2024-37080. However, it is important to note that threat actors have targeted multiple previous vulnerabilities in VMware vCenter Server and Cloud Foundation in the past, which have been listed in CISA’s Known Exploited Vulnerabilities Catalog.
Recommendations for CVE-2024-37079 & CVE-2024-37080
Arctic Wolf strongly recommends updating to the latest version of vCenter and Cloud Foundation. Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
Product | Vulnerability | Affected Version | Fixed Version |
vCenter Server | CVE-2024-37079, CVE-2024-37080
|
8.0 | |
7.0 | 7.0 U3r | ||
Cloud Foundation | CVE-2024-37079, CVE-2024-37080 | 5.x | KB88287 |
4.x | KB88287 |
References