CISA Warns Active Exploits Target Critical VMware RCE Flaw
▼ Summary
– CISA has ordered U.S. federal agencies to patch a critical, actively exploited VMware vCenter Server vulnerability (CVE-2024-37079) within three weeks.
– The flaw is a heap overflow that allows attackers with network access to execute remote code without needing privileges or user interaction.
– There are no workarounds, so applying the security patches Broadcom released in June 2024 is the only solution.
– This vulnerability is a frequent attack vector posing significant risk, and agencies must patch, follow cloud guidance, or discontinue use.
– This is part of a pattern, as CISA has recently mandated fixes for other exploited VMware vulnerabilities, including some tied to Chinese hackers.
A critical security flaw in VMware vCenter Server is now under active attack, prompting urgent action from U.S. federal agencies. The Cybersecurity and Infrastructure Security Agency (CISA) has formally added the vulnerability to its catalog of known exploited weaknesses, mandating that all Federal Civilian Executive Branch agencies apply necessary patches within a three-week deadline. This directive underscores the severe risk posed by the flaw, which allows attackers to execute code remotely on unpatched systems.
Identified as CVE-2024-37079, this vulnerability is a heap overflow issue within the DCERPC protocol implementation of vCenter Server. As the central management platform for VMware vSphere environments, vCenter Server is a high-value target. The flaw enables a threat actor with network access to send a specially crafted packet that triggers remote code execution. These attacks are considered low in complexity, requiring no user interaction or prior system privileges, making exploitation straightforward for malicious actors once they gain a foothold on the network.
Broadcom, which now owns VMware, has stated there are no available workarounds or mitigations for this specific vulnerability. The only definitive solution is to apply the security patches the company released in June 2024. Organizations must update to the latest versions of vCenter Server and VMware Cloud Foundation. Following CISA’s binding operational directive, federal agencies have until February 13th to secure their systems or face potential enforcement actions.
The agency’s warning was unequivocal, noting that such vulnerabilities are frequent and effective attack vectors that pose substantial risks to government networks. CISA advised entities to apply vendor-provided patches immediately, adhere to cloud service security guidance, or discontinue using the product if updates cannot be implemented. Broadcom subsequently updated its own security advisory to confirm it is also aware of active exploitation occurring in the wild.
This incident is part of a concerning pattern. Just last October, CISA directed agencies to patch another high-severity flaw in VMware Aria Operations and VMware Tools software that Chinese state-sponsored hackers had been exploiting. Furthermore, throughout the past year, Broadcom has addressed multiple other serious vulnerabilities in VMware products, including flaws reported by the U.S. National Security Agency and several zero-day exploits discovered by Microsoft. The repeated targeting of VMware’s virtualization infrastructure highlights its critical role in enterprise and government IT, making it a persistent focus for both defenders and attackers.
(Source: Bleeping Computer)
