CERT-In Vulnerability Note
CIVN-2024-0228
Multiple Vulnerabilities in VMware Products
Original Issue Date:July 31, 2024
Severity Rating: HIGH
Software Affected
- VMware ESXi 7.0
- VMware ESXi 8.0
- VMware vCenter Server 7.0
- VMware vCenter Server 8.0
- VMware Cloud Foundation 4.x
- VMware Cloud Foundation 5.x
Overview
Multiple Vulnerabilities have been reported in VMware product which could allow an attacker to bypass authentication and trigger denial of service conditions on the targeted system.
Description
1. Authentication Bypass
(
CVE-2024-37085
)
This Vulnerability exists in VMware ESXi due to insufficient Active Directory (AD) permissions. Successful exploitation of this vulnerability could allow an attacker to gain full access of the targeted system. Note: CVE-2024-37085 is being exploited in the wild.
2. Denial of Service
(
CVE-2024-37086
)
This Vulnerability exists in VMware ESXi due to out-of-bounds error. Successful exploitation of this vulnerability could allow an attacker to cause denial of service condition on the targeted system.
3. Denial of Service
(
CVE-2024-37087
)
This Vulnerability exists in VMware vCenter Server due to improper validation of user-supplied input within the License Server. Successful exploitation of this vulnerability could allow an attacker to cause denial of service condition on the targeted system.
Solution
Apply appropriate software fixes as available on the vendor website.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
Vendor Information
VMware
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
References
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
CVE Name
CVE-2024-37085
CVE-2024-37086
CVE-2024-37087
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-22902657
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|