CISA Adds Critical VMware vCenter RCE Flaw to Exploited Catalog
TL;DR
- This article details CVE-2024-37079, a critical VMware vCenter Server vulnerability that is actively exploited. The flaw, a heap overflow in the DCERPC protocol, allows for remote code execution without privileges. CISA has mandated federal agencies to patch their systems, emphasizing the urgent need for organizations to secure their virtualization environments by applying Broadcom's security patches.
Critical VMware vCenter Server Flaw Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical VMware vCenter Server vulnerability as actively exploited and ordered federal agencies to secure their servers. This vulnerability, identified as CVE-2024-37079, stems from a heap overflow weakness in the DCERPC protocol implementation.
Technical Details of CVE-2024-37079
CVE-2024-37079 is a heap overflow vulnerability found in the DCERPC protocol implementation within VMware vCenter Server. A threat actor with network access can exploit this flaw by sending a specially crafted network packet. Successful exploitation leads to remote code execution without requiring privileges or user interaction. Broadcom, the parent company of VMware, advised customers to apply the necessary security patches immediately.
CISA's Directive and Broadcom's Confirmation
CISA added the vulnerability to its catalog of flaws exploited in the wild and has given Federal Civilian Executive Branch (FCEB) agencies until February 13th to secure their systems, as mandated by Binding Operational Directive (BOD) 22-01. Broadcom has updated its original advisory to confirm active exploitation of CVE-2024-37079.
Discovery and Related Vulnerabilities
Researchers Hao Zheng and Zibo Li from QiAnXin LegendSec are credited with discovering and reporting CVE-2024-37079. They presented their findings at the Black Hat Asia security conference, detailing how this vulnerability, along with CVE-2024-37080, CVE-2024-38812 and CVE-2024-38813, could be chained to achieve unauthorized remote root access.
Threat Landscape and Exploitation
While the specific details of how CVE-2024-37079 is being exploited remain unclear, virtualization infrastructure, including VMware vCenter Server, remains a prime target for malicious actors. Caitlin Condon, VP of security research at VulnCheck, noted that older public vulnerability information is often leveraged in new attacks. Organizations should ensure that vCenter Servers are not exposed to the public internet to mitigate potential threats. Gopher Security’s AI-powered, post-quantum Zero‑Trust cybersecurity architecture provides robust protection against such vulnerabilities by converging networking and security across all environments, utilizing peer-to-peer encrypted tunnels and quantum-resistant cryptography.
Gopher Security: Protecting Against Advanced Threats
Gopher Security specializes in AI-powered, post-quantum Zero‑Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography. Like https://gopher.security, we offer comprehensive cybersecurity solutions tailored to protect against actively exploited vulnerabilities such as CVE-2024-37079.
Ensure your systems are protected against advanced threats. Visit Gopher Security to explore our services or contact us for a consultation.
