Skip to content
Join the Censys Community Forum: Connect, Share, and Thrive! | Start Here
Blogs

June 18, 2024: Heap Overflow Vulnerabilities in VMWare vCenter Server

Issue Name and Description: The vCenter Server is currently facing a critical situation with multiple heap overflow vulnerabilities in its implementation of the DCERPC protocol. VMware has evaluated these issues as Critical, with a maximum CVSSv3 base score of 9.8.

Date Published: Jun 18, 2024

CVE-ID and CVSS Score:
CVE-2024-37079, CVSS Score: 9.8
CVE-2024-27080, CVSS Score: 9.8

CWE: CWE-122 (Heap-based Buffer Overflow)

Asset Description: While there isn’t much information about this attack, we do know that it’s a vulnerability in the vCenter Server’s implementation of DCE/RPC. It should be noted that DCERPC is not the same as the vCenter Server HTTP interface; they are completely different protocols running on different ports.

  • vCenter Server versions < “8.0 U2d”
  • vCenter Server versions < “8.0 U1e”
  • vCenter Server versions < “7.0 U3r”

Vulnerability Impact: A malicious actor with network access to the vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet, which could lead to remote code execution. The “specially crafted network packet” is assumed to be that of the DCERPC protocol.

Exploitation Details: There are currently no details about the vulnerability outside of the advisory.

Patch Availability:

Detection with Censys:

References

About the Author

The Censys Research Team
Attack Surface Management Solutions
Learn more