VMSA-2024-0013:VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2024-37085, CVE-2024-37086, CVE-2024-37087)
24505
12 August 2024
25 June 2024
CLOSED
MEDIUM
5.3-6.8
CVE-2024-37085, CVE-2024-37086, CVE-2024-37087
Advisory ID: | VMSA-2024-0013.2 |
Advisory Severity: | Moderate |
CVSSv3 Range: | 5.3-6.8 |
Synopsis: | VMware ESXi and vCenter Server updates address multiple vulnerabilities (CVE-2024-37085, CVE-2024-37086, CVE-2024-37087) |
Issue date: | 2024-06-25 |
Updated on: | 2024-08-12 |
CVE(s) | CVE-2024-37085, CVE-2024-37086, CVE-2024-37087) |
1. Impacted Products
- VMware ESXi
- VMware vCenter Server
- VMware Cloud Foundation
2. Introduction
Multiple vulnerabilities in ESXi and vCenter Server were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
3a. VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085)
Description:
VMware ESXi contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8..
Known Attack Vectors:
A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESX Admins' by default) after it was deleted from AD.
Resolution:
To remediate CVE-2024-37085 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds:
In-product workarounds for CVE-2024-37085 can be found in the 'Workaround' column of the 'Response Matrix' below
Additional Documentation:
None.
Acknowledgments:
VMware would like to thank Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto of Microsoft for reporting this issue to us.
Notes:
None.
Response Matrix:
VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
ESXi | 8.0 | Any | CVE-2024-37085 | 6.8 | Moderate | ESXi80U3-24022510 | KB369707 | None |
ESXi | 7.0 | Any | CVE-2024-37085 | 6.8 | Moderate | No Patch Planned | KB369707 | None |
VMware Cloud Foundation | 5.x | Any | CVE-2024-37085 | 6.8 | Moderate | 5.2 | KB369707 | None |
VMware Cloud Foundation | 4.x | Any | CVE-2024-37085 | 6.8 | Moderate | No Patch Planned | KB369707 | None |
3b. VMware ESXi out-of-bounds read vulnerability (CVE-2024-37086)
Description:
VMware ESXi contains an out-of-bounds read vulnerability. VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8.
Known Attack Vectors:
A malicious actor with local administrative privileges on a virtual machine with an existing snapshot may trigger an out-of-bounds read leading to a denial-of-service condition of the host.
Resolution:
To remediate CVE-2024-37086 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgments:
VMware would like to thank Hao Zheng (@zhz) and Jiaqing Huang (@s0duku) From TianGong Team of Legendsec at Qi'anxin Group for reporting this issue to us.
Notes:
None.
Response Matrix:
VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
ESXi | 8.0 | Any | CVE-2024-37086 | 6.8 | Moderate | ESXi80U3-24022510 | None | None |
ESXi | 7.0 | Any | CVE-2024-37086 | 6.8 | Moderate | ESXi70U3sq-23794019 | None | None |
VMware Cloud Foundation | 5.x | Any | CVE-2024-37086 | 6.8 | Moderate | 5.2 | None | None |
VMware Cloud Foundation | 4.x | Any | CVE-2024-37086 | 6.8 | Moderate | Async patch to ESXi 7.0 U3q | None | Async Patching Guide: KB88287 |
3c. VMware vCenter denial-of-service vulnerability (CVE-2024-37087)
Description:
The vCenter Server contains a denial-of-service vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors:
A malicious actor with network access to vCenter Server may create a denial-of-service condition.
Resolution:
To remediate CVE-2024-37087 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgments:
VMware would like to thank Guy Lederfein of Trend Micro for reporting this issue to us.
Notes:
[1] vCenter Server 7.0 version (7.0 U3q) mentioned in the response matrix is the first to address this issue but not the latest. The recommendation is to consume the latest version i.e. vCenter Server 7.0 U3r to resolve Critical severity vulnerabilities documented in VMSA-2024-0012.
Response Matrix:
VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
vCenter Server | 8.0 | Any | CVE-2024-37087 | 5.3 | Moderate | 8.0 U3 | None | None |
vCenter Server | 7.0 | Any | CVE-2024-37087 | 5.3 | Moderate | 7.0 U3q [1] | None | None |
VMware Cloud Foundation | 5.x | Any | CVE-2024-37087 | 5.3 | Moderate | 5.2 | None | None |
VMware Cloud Foundation | 4.x | Any | CVE-2024-37087 | 5.3 | Moderate | Async patch to 7.0 U3q [1] | None | Async Patching Guide: KB88287 |
4. References:
Fixed Version(s) and Release Notes:
VMware ESXi 8.0 U3
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?displayGroup=VMware%20vSphere%20-%20Standard&release=8.0&os=&servicePk=202631&language=EN&groupId=204419
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-803-release-notes/index.html
VMware ESXi 7.0 ESXi70U3sq-23794019
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5330
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3q-release-notes/index.html
VMware vCenter Server 8.0 U3
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20vCenter%20Server&displayGroup=VMware%20vCenter%20Server%208.x&release=8.0U3&os=&servicePk=520490&language=EN
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-803-release-notes/index.html
VMware vCenter Server 7.0 U3q
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5329
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3q-release-notes/index.html
VMware Cloud Foundation 5.2
Downloads and Documentation:
https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Cloud%20Foundation&displayGroup=VMware%20Cloud%20Foundation%205.2&release=5.2&os=&servicePk=520823&language=EN
https://docs.vmware.com/en/VMware-Cloud-Foundation/5.2/rn/vmware-cloud-foundation-52-release-notes/index.html
KB Articles:
Cloud Foundation 5.x/4.x:
https://knowledge.broadcom.com/external/article?legacyId=88287
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37087
FIRST CVSSv3 Calculator:
CVE-2024-37085: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE-2024-37086: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVE-2024-37087: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5. Change Log:
2024-06-25 VMSA-2024-0013
Initial security advisory.
2024-07-24 VMSA-2024-0013.1
Updated advisory to add fixed version of VCF 5.x in the Response Matrix of 3a, 3b, and 3c.
2024-08-12 VMSA-2024-0013.2
Additional instructions provided for in-product workarounds for CVE-2024-37085 (KB369707)
6. Contact:
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2024 Broadcom All rights reserved.