DIVD-2024-00029 - VMware vCenter Server multiple heap-overflow vulnerabilities

Our reference DIVD-2024-00029
Case lead Oscar Vlugt
Researcher(s)
CVE(s)
Products
  • VMware vCenter
Versions
  • vCenter 7 Update 3 lower than version 7.0 U3r (build 24026615)
  • vCenter 8 Update 1 lower than version 8.0 U1e (build 24005165)
  • vCenter 8 Update 2 lower than version 8.0 U2d (build 23929136)
Recommendation Install the update as soon as possible
Patch status Available
Workaround None
Status Open
Last modified 07 Aug 2024 13:47 CEST

Summary

The vCenter Server contains multiple heap overflow vulnerabilities in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution.

Recommendations

To remediate CVE-2024-37079, and CVE-2024-37080 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments. You can find the ‘Response Matrix’ at the bottom of this post.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of vCenter Server and to notify these parties. We do this by looking at the version numbers if possible. Although our fingerprinting cannot confirm if instances are vulnerable to the initial attack vector, we want to issue a warning that a critical infrastructural component is exposed if it falls within the specified vulnerable versions.

Timeline

Date Description
21 Jun 2024 DIVD starts researching the vulnerability.
02 Jul 2024 DIVD finds fingerprint, preparing to scan.
02 Jul 2024 DIVD starts scanning the internet for vulnerable instances.
09 Jul 2024 DIVD performed a rescan to retrieve the latest vulnerable instances
09 Jul 2024 DIVD starts notifying network owners with a vulnerable instance in their network.
05 Aug 2024 DIVD performed a rescan to retrieve the latest vulnerable instances
06 Aug 2024 DIVD starts notifying network owners with a vulnerable instance in their network for the second time.
06 Aug 2024 Based on the results we’ve observed, we conclude that additional notifications will not further decrease the attack surface, and therefore, we are closing this case.
gantt title DIVD-2024-00029 - VMware vCenter Server multiple heap-overflow vulnerabilities dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00029 - VMware vCenter Server multiple heap-overflow vulnerabilities (still open) :2024-06-21, 2024-10-28 section Events DIVD starts researching the vulnerability. : milestone, 2024-06-21, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-07-02, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-07-02, 0d DIVD performed a rescan to retrieve the latest vulnerable instances : milestone, 2024-07-09, 0d DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-07-09, 0d DIVD performed a rescan to retrieve the latest vulnerable instances : milestone, 2024-08-05, 0d DIVD starts notifying network owners with a vulnerable instance in their network for the second time. : milestone, 2024-08-06, 0d Based on the results we’ve observed, we conclude that additional notifications will not further decrease the attack surface, and therefore, we are closing this case. : milestone, 2024-08-06, 0d

More information