DIVD-2024-00029 - VMware vCenter Server multiple heap-overflow vulnerabilities
Our reference | DIVD-2024-00029 |
Case lead | Oscar Vlugt |
Researcher(s) | |
CVE(s) | |
Products |
|
Versions |
|
Recommendation | Install the update as soon as possible |
Patch status | Available |
Workaround | None |
Status | Closed |
Last modified | 21 Nov 2024 16:20 CET |
Summary
The vCenter Server contains multiple heap overflow vulnerabilities in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution.
Recommendations
To remediate CVE-2024-37079, and CVE-2024-37080 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments. You can find the ‘Response Matrix’ at the bottom of this post.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of vCenter Server and to notify these parties. We do this by looking at the version numbers if possible. Although our fingerprinting cannot confirm if instances are vulnerable to the initial attack vector, we want to issue a warning that a critical infrastructural component is exposed if it falls within the specified vulnerable versions.
Timeline
Date | Description |
---|---|
21 Jun 2024 | DIVD starts researching the vulnerability. |
02 Jul 2024 | DIVD finds fingerprint, preparing to scan. |
02 Jul 2024 | DIVD starts scanning the internet for vulnerable instances. |
09 Jul 2024 | DIVD performed a rescan to retrieve the latest vulnerable instances |
09 Jul 2024 | DIVD starts notifying network owners with a vulnerable instance in their network. |
05 Aug 2024 | DIVD performed a rescan to retrieve the latest vulnerable instances |
06 Aug 2024 | DIVD starts notifying network owners with a vulnerable instance in their network for the second time. |
06 Aug 2024 | Based on the results we’ve observed, we conclude that additional notifications will not further decrease the attack surface, and therefore, we are closing this case. |