CVE-2024-37081 - Local Privilege Escalation in vCenter Server Appliance Due to Sudo Misconfiguration

A critical vulnerability (CVE-2024-37081) has been identified in VMware's vCenter Server Appliance, a web-based application that allows administrators to manage VMware ESXi hosts and clusters. The vulnerability could allow non-administrative users with local access to the system to escalate their privileges, essentially granting them root access on the vCenter Server system.

Description of CVE-2024-37081

The vulnerability exists due to improper configuration of sudo, a widely-used program that enables non-root users to execute certain commands as root. The vulnerable vCenter Server configurations allow authenticated, non-administrative users to execute arbitrary commands as root without being prompted for a password. Consequently, an attacker with local vCenter Server access can exploit this sudo misconfiguration to elevate their privileges and take control over the vCenter Server appliance.

Example Code Snippet

The following code snippet demonstrates how an authenticated, non-administrative user can escalate their privileges and gain root access on a vCenter Server appliance:

$ ssh user@vcenter.example.com
user@vcenter.example.com's password: <Enter your password>
(user input) $ sudo -i
(root input) # whoami
root

In this case, the user can execute sudo -i to obtain a root shell without being prompted for a password. This demonstrates that the non-administrative user now has unrestricted root access to the vCenter Server system.

Exploit Details

Local attackers with non-administrative user accounts can exploit this vulnerability to gain root access on the affected vCenter Server appliances by executing the following steps:

Identify commands with the NOPASSWD option in the sudo configuration file using sudo -l.

3. Exploit the sudo misconfiguration by executing one of the identified commands as root, without being prompted for a password.

Solution and Mitigation

VMware has released a security advisory (VMSA-2024-0002) and updated versions of vCenter Server to address this vulnerability:

vCenter Server 7. Update 1b

Users are strongly advised to update their vCenter Server systems to the latest requisite version as soon as possible to mitigate the risk posed by this vulnerability.

Additionally, administrators should review and secure their sudo configurations to ensure that non-administrative users do not have unnecessary access to sensitive system commands.

References

- CVE-2024-37081
- VMware Security Advisory VMSA-2024-0002
- VMware vCenter Server Documentation

Timeline

Published on: 06/18/2024 06:15:11 UTC
Last modified on: 08/02/2024 03:43:50 UTC