VMSA-2024-0013:VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2024-37085, CVE-2024-37086, CVE-2024-37087)

VMware Cloud Foundation

2 more products

24505

12 August 2024

25 June 2024

CLOSED

MEDIUM

5.3-6.8

CVE-2024-37085, CVE-2024-37086, CVE-2024-37087

 

Advisory ID:  VMSA-2024-0013.2
Advisory Severity: Moderate
CVSSv3 Range: 5.3-6.8
Synopsis: VMware ESXi and vCenter Server updates address multiple vulnerabilities (CVE-2024-37085, CVE-2024-37086, CVE-2024-37087)
Issue date: 2024-06-25
Updated on: 2024-08-12
CVE(s) CVE-2024-37085, CVE-2024-37086, CVE-2024-37087)

 

1. Impacted Products

  • VMware ESXi
  • VMware vCenter Server
  • VMware Cloud Foundation

2. Introduction

Multiple vulnerabilities in ESXi and vCenter Server were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085) 

Description:
VMware ESXi contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8..

Known Attack Vectors:
A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESX Admins' by default) after it was deleted from AD.

Resolution:
To remediate CVE-2024-37085 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

Workarounds:
In-product workarounds for CVE-2024-37085 can be found in the 'Workaround' column of the 'Response Matrix' below

Additional Documentation:
None.

Acknowledgments:
VMware would like to thank Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto of Microsoft for reporting this issue to us.

Notes:
None.

Response Matrix:

VMware Product Version Running On CVE CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi  8.0 Any CVE-2024-37085 6.8 Moderate ESXi80U3-24022510 KB369707 None
ESXi  7.0 Any CVE-2024-37085 6.8 Moderate No Patch Planned KB369707 None
VMware Cloud Foundation 5.x Any CVE-2024-37085 6.8 Moderate 5.2 KB369707 None
VMware Cloud Foundation 4.x Any CVE-2024-37085 6.8 Moderate No Patch Planned KB369707 None

 

3bVMware ESXi out-of-bounds read vulnerability (CVE-2024-37086) 

Description:
VMware ESXi contains an out-of-bounds read vulnerability. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8.

Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual machine with an existing snapshot may trigger an out-of-bounds read leading to a denial-of-service condition of the host.

Resolution:
To remediate CVE-2024-37086 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.


Workarounds:
None.

Additional Documentation:
None.

Acknowledgments:
VMware would like to thank Hao Zheng (@zhz) and Jiaqing Huang (@s0duku) From TianGong Team of Legendsec at Qi'anxin Group for reporting this issue to us.

Notes:
None.

Response Matrix:

VMware Product Version Running On CVE CVSSv3 Severity Fixed Version Workarounds Additional Documentation
ESXi  8.0 Any CVE-2024-37086 6.8 Moderate ESXi80U3-24022510 None None
ESXi  7.0 Any CVE-2024-37086 6.8 Moderate ESXi70U3sq-23794019 None None
VMware Cloud Foundation 5.x Any CVE-2024-37086 6.8 Moderate 5.2 None None
VMware Cloud Foundation 4.x Any CVE-2024-37086 6.8 Moderate Async patch to ESXi 7.0 U3q None Async Patching Guide: KB88287

 

3c. VMware vCenter denial-of-service vulnerability (CVE-2024-37087) 

Description:
The vCenter Server contains a denial-of-service vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range
 with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors:
A malicious actor with network access to vCenter Server may create a denial-of-service condition.

Resolution:
To remediate CVE-2024-37087 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.


Workarounds:
None.

Additional Documentation:
None.

Acknowledgments:
VMware would like to thank Guy Lederfein of Trend Micro for reporting this issue to us.

Notes:
[1] vCenter Server 7.0 version (7.0 U3q) mentioned in the response matrix is the first to address this issue but not the latest. The recommendation is to consume the latest version i.e. vCenter Server 7.0 U3r to resolve Critical severity vulnerabilities documented in VMSA-2024-0012.

Response Matrix:

VMware Product Version Running On CVE CVSSv3 Severity Fixed Version Workarounds Additional Documentation
vCenter Server  8.0 Any CVE-2024-37087 5.3 Moderate 8.0 U3 None None
vCenter Server   7.0 Any CVE-2024-37087 5.3 Moderate 7.0 U3q [1] None None
VMware Cloud Foundation 5.x Any CVE-2024-37087 5.3 Moderate 5.2 None None
VMware Cloud Foundation 4.x Any CVE-2024-37087 5.3 Moderate Async patch to 7.0 U3q [1] None Async Patching Guide: KB88287

 

4. References:

Fixed Version(s) and Release Notes:

VMware ESXi 8.0 U3
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?displayGroup=VMware%20vSphere%20-%20Standard&release=8.0&os=&servicePk=202631&language=EN&groupId=204419
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-803-release-notes/index.html

VMware ESXi 7.0 ESXi70U3sq-23794019
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5330
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3q-release-notes/index.html

VMware vCenter Server 8.0 U3
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20vCenter%20Server&displayGroup=VMware%20vCenter%20Server%208.x&release=8.0U3&os=&servicePk=520490&language=EN
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-803-release-notes/index.html

VMware vCenter Server 7.0 U3q
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5329
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3q-release-notes/index.html

VMware Cloud Foundation 5.2
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Cloud%20Foundation&displayGroup=VMware%20Cloud%20Foundation%205.2&release=5.2&os=&servicePk=520823&language=EN
https://docs.vmware.com/en/VMware-Cloud-Foundation/5.2/rn/vmware-cloud-foundation-52-release-notes/index.html

KB Articles:
Cloud Foundation 5.x/4.x:
https://knowledge.broadcom.com/external/article?legacyId=88287

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37087

FIRST CVSSv3 Calculator:
CVE-2024-37085: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE-2024-37086: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVE-2024-37087: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5. Change Log:

2024-06-25 VMSA-2024-0013
Initial security advisory.

2024-07-24 VMSA-2024-0013.1
Updated advisory to add fixed version of VCF 5.x in the Response Matrix of 3a, 3b, and 3c.

2024-08-12 VMSA-2024-0013.2
Additional instructions provided for in-product workarounds for CVE-2024-37085 (KB369707)

 

6. Contact:

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2024 Broadcom All rights reserved.