Critical VMware Vulnerabilities Under Active Attack: Immediate Patching Required
Cybersecurity teams are on high alert as Broadcom has released urgent security patches for two critical vulnerabilities in VMware vCenter Server, one of which is a zero-day flaw being actively exploited in the wild. The vulnerabilities, when chained together, can allow a malicious actor to achieve full remote code execution on compromised systems.
The security advisory, VMSA-2024-0003, addresses critical flaws affecting both VMware vCenter Server and VMware Cloud Foundation. Organizations using these products are strongly urged to take immediate action to mitigate this significant threat.
Understanding the Critical Vulnerabilities
The threat stems from the combination of two distinct security flaws:
CVE-2024-21765: This is a critical heap-overflow vulnerability in the vCenter Server’s DCE/RPC protocol implementation. A malicious actor with network access to the vCenter Server could exploit this flaw to execute arbitrary code on the underlying operating system. This vulnerability carries a high severity score of 9.8 out of 10.
CVE-2023-46805: This is a local privilege escalation vulnerability within vCenter Server. An attacker who has already gained low-level access to the system can exploit this flaw to elevate their privileges to root, granting them complete control. This vulnerability is rated 7.8 out of 10.
By combining these two flaws, a remote attacker can first gain a foothold on the server and then escalate their privileges to take it over entirely, posing a severe risk to the entire virtualized infrastructure managed by vCenter.
Active Exploitation by Threat Actor UNC5174
Security researchers have confirmed that these vulnerabilities are not just theoretical. A sophisticated threat actor, tracked as UNC5174, has been observed exploiting this zero-day vulnerability chain in real-world attacks.
This group is known for its stealth and persistence, deploying unique malware designed to maintain long-term access and exfiltrate sensitive data. Analysis of their attacks reveals the use of several custom tools, including:
- VIRTUALPITA: A backdoor that allows the attacker to upload and download files and execute commands on the compromised vCenter appliance.
- VIRTUALPIE: A sophisticated webshell that can be used to manage files, run commands, and maintain a persistent presence on the system.
The primary motive of this threat actor appears to be espionage and data theft, targeting sensitive information stored within corporate networks.
What Products Are Affected?
It is crucial for system administrators to identify if their environments are at risk. The following product versions are confirmed to be vulnerable:
- VMware vCenter Server versions 7.0 and 8.0
- VMware Cloud Foundation versions 4.x and 5.x
Broadcom has released patches for all affected versions. There are currently no known workarounds for these vulnerabilities, making the application of security updates the only effective mitigation.
How to Protect Your Systems: A 3-Step Action Plan
Given the active exploitation of these vulnerabilities, immediate and decisive action is required to secure your virtual infrastructure.
Patch Immediately: Your top priority must be to apply the security updates outlined in VMSA-2024-0003. Delaying this process leaves your organization exposed to a known and active threat. Do not wait for your next scheduled patch cycle.
Hunt for Signs of Compromise: Because this vulnerability was exploited as a zero-day, it is essential to investigate your systems for any signs of an existing breach. Security teams should proactively search for Indicators of Compromise (IOCs) associated with UNC5174, including suspicious network connections, unfamiliar files in vCenter directories, and unexpected system behavior.
Enhance Network Security and Monitoring: As a best practice, limit network access to the vCenter Server management interface. It should not be exposed to the public internet. Segment your network to restrict access to critical management consoles and enhance monitoring of traffic to and from these servers to detect anomalous activity quickly.
The exploitation of this vulnerability chain is a stark reminder of the critical importance of robust patch management and proactive threat hunting, especially for core infrastructure components like hypervisor management platforms.
Source: https://securityaffairs.com/182816/uncategorized/broadcom-patches-vmware-zero-day-actively-exploited-by-unc5174.html
