Alert essentials:
Three flaws have been discovered in vCenter servers. These weaknesses could allow a bad actor to elevate their privileges and remotely control servers.
Upgrade impacted versions of vCenter servers immediately.
Detailed threat description:
Distributed Computing Environment / Remote Procedure Call (DCE/RPC) is used in vCenter servers to manage virtual machines.
Reports started circulating hours ago regarding two critical heap overflow flaws and a critical privilege escalation found in the protocol. A malicious actor with network access to the vCenter server can exploit these vulnerabilities to elevate their privileges and take control of the system.
There are no known exploits utilizing these vulnerabilities as of this writing.
A fix is available by upgrading the vCenter server to a fixed version. However, older vCenter versions 6.5 and 6.7 remain untested for vulnerabilities. Support for these versions ended in October 2022, and it is not likely that the versions will receive a fix.
Impacts on healthcare organizations:
A cyberattack can affect the medical provider’s bottom line and patients’ trust. The hacker expects to extract protected data about the provider and the patients under care.
Along the way to this data, a bad actor will likely prevent using life-saving technologies by taking systems offline. Vital network functions may be unavailable, preventing medical providers from accessing patient history and current needs.
Affected products / versions:
- Cloud Foundation (vCenter Server 4.x)
- Cloud Foundation (vCenter Server 5.x)
- vCenter Server 7.0 on any operating system
- vCenter Server 8.0 on any operating system
CVEs
- CVE-2024-37079
- CVE-2024-37080
- CVE-2024-37081
KB
- Fixed KB for Cloud Foundation v4.x and v5.x= KB88287
Recommendations
Engineering recommendations:
- Update versions of impacted vCenter servers
- Administrators can verify patch applications by accessing the Appliance Shell and using the software packages utility of servers to list installed updates
- Consider if DCE/RPC is necessary in the environment
- If not, disabling it and blocking all associated ports with firewalls and ACLs is the best defense
- DCE/RPC should only be allowed between internal systems using the service if necessary for operations
- Incoming DCE/RPC queries from the Internet should be blocked entirely at the perimeter firewall with no exceptions
Leadership / program recommendations:
- Prepare the organization for breach recovery by creating and maintaining an incident response program
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- VMware advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
- Cloud Foundation 5.x/4.x KB: https://knowledge.broadcom.com/external/article?legacyId=88287
- Incident Response: https://fortifiedhealthsecurity.com/services/advisory-services/incident-response-services
- Securing vCenter: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-81B3517E-5F97-4013-B1EB-92C25E458E28.html
- vCenter Firewall Settings: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vcenter.configuration.doc/GUID-3AFB677A-8957-44C2-86DE-1D2D6CC19431.html
- vCenter Security Best Practices: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-3F7F045A-C4E6-4891-9859-1FAC54E85E9D.html
