DIVD-2024-00029 - VMware vCenter Server multiple heap-overflow vulnerabilities

Our reference DIVD-2024-00029
Case lead Oscar Vlugt
Researcher(s)
CVE(s)
Products
  • VMware vCenter
Versions
  • vCenter 7 Update 3 lower then version 7.0 U3r (build 24026615)
  • vCenter 8 Update 1 lower then version 8.0 U1e (build 24005165)
  • vCenter 8 Update 2 lower then version 8.0 U2d (build 23929136)
Recommendation Install the update as soon as possible
Patch status Available
Workaround None
Status Open
Last modified 02 Jul 2024 21:30

Summary

The vCenter Server contains multiple heap-overflow vulnerabilities in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution.

Recommendations

To remediate CVE-2024-37079, and CVE-2024-37080 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments. You can find the ‘Response Matrix’ at the bottom of this post.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of vCenter Server and to notify these parties. We do this by looking at the version numbers if possible.

Timeline

Date Description
21 Jun 2024 DIVD starts researching the vulnerability.
gantt title DIVD-2024-00029 - VMware vCenter Server multiple heap-overflow vulnerabilities dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00029 - VMware vCenter Server multiple heap-overflow vulnerabilities (still open) :2024-06-21, 2024-07-12 section Events DIVD starts researching the vulnerability. : milestone, 2024-06-21, 0d

More information