Article Details

Patch or die: VMware vCenter Server bug fixed in 2024 under attack today. If you skipped it back then, now’s a very good time. You've got to keep your software updated. Some unknown miscreants are exploiting a critical VMware vCenter Server bug more than a year after Broadcom patched the flaw. The vulnerability, tracked as CVE-2024-37079, is an out-of-bounds write flaw in vCenter Server's implementation of the DCERPC protocol that earned a 9.8 out of 10 CVSS rating. In other words: it's almost as bad as it gets.  DCERPC, which stands for Distributed Computing Environment/Remote Procedure Calls, allows software to invoke procedures and services on a remote system across a network. This bug can be abused by someone with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution, and on Friday, both the vendor and the feds warned that this - or something along these lines - is happening. "Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild," the vendor warned in an update to its June 18, 2024 security advisory.  Also on Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) added this critical security hole to its Known Exploited Vulnerabilities (KEV) Catalog. This means federal agencies must patch the flaw by February 13 - again, we must note that Broadcom issued a software update that fixes this CVE more than a year and a half ago, and June 2024 would have been the optimal time to deploy the patch. CISA's KEV lists the bug's use in ransomware campaigns as "unknown," and Broadcom didn't provide any details about the scope of exploitation, or respond to The Register's inquiries about CVE-2024-37079's abuse. We'll update this story as we learn more about who is abusing this flaw, and what they are doing with the illicit access to enterprises' vCenter Servers. VulnCheck VP of security research Caitlin Condon told The Register that virtualization infrastructure - including Broadcom's vCenter Server - is a favorite target for both government-backed hackers and financially motivated cybercriminals.  "As an example, CVE-2023-34048, a prior vulnerability in vCenter Server's DCERPC protocol, was exploited by at least three known China-nexus threat actors (Fire Ant, Warp Panda, and UNC3886)," Condon said. Condon said she's not surprised to see the bug being exploited by attackers considering details about the vulnerability have been public for more than a year.  "It's common to see threat actors - including state-sponsored groups - opportunistically leveraging even older public vulnerability information to conduct new attacks, so it's not terribly surprising that the vulnerability has seen exploitation in the wild," she said.  "While there are no immediate details on threat actor attribution or attacker behavior, vCenter Server should never, ever be exposed to the public internet, so it's likely the adversary already had a foothold in the victim environment," Condon added.