tothi/VMSA-2024-0012.yaml

## VMSA-2024-0012.yaml
id: VMSA-2024-0012

info:
  name: VMware vCenter Server heap-overflow (potential RCE) and privilege escalation
  author: "@an0n_r0"
  severity: critical
  description: |
    CVE-2024-37079, CVE-2024-37080: vCenter Server multiple heap-overflow vulnerabilities
    CVE-2024-37081: vCenter Server local privilege escalation due to misconfiguration of sudo
  impact: |
    CVE-2024-37079, CVE-2024-37080: A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution.
    CVE-2024-37081: An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.
  reference: |
    https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
    https://core.vmware.com/resource/vmsa-2024-0012-questions-answers
    https://knowledge.broadcom.com/external/article/326316/build-numbers-and-versions-of-vmware-vce.html
  tags: cve, cve2024, rce, vmsa, vmware

http:
  - method: POST
    path:
      - '{{BaseURL}}/sdk'
    body: |
      <soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
      <soap:Header><operationID>00000001-00000001</operationID></soap:Header>
      <soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent>
      </soap:Body></soap:Envelope>

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - '<version>([^<]*)</version>'

      - type: regex
        part: body
        group: 1
        name: build
        regex:
          - '<build>([^<]*)</build>'

    matchers:
      - type: dsl
        dsl:
          - compare_versions(version, "\>=7.0", "\<8.0")
          - compare_versions(build, "\<24026615")
        condition: and
        name: vcenter70x
      - type: dsl
        dsl:
          - compare_versions(version, "\>=8.0", "\<8.0.2")
          - compare_versions(build, "\<24005165")
        condition: and
        name: vcenter801
      - type: dsl
        dsl:
          - compare_versions(version, "=8.0.2")
          - compare_versions(build, "\<23929136")
        condition: and
        name: vcenter802
	id: VMSA-2024-0012

	info:
	name: VMware vCenter Server heap-overflow (potential RCE) and privilege escalation
	author: "@an0n_r0"
	severity: critical
	description: \|
	CVE-2024-37079, CVE-2024-37080: vCenter Server multiple heap-overflow vulnerabilities
	CVE-2024-37081: vCenter Server local privilege escalation due to misconfiguration of sudo
	impact: \|
	CVE-2024-37079, CVE-2024-37080: A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution.
	CVE-2024-37081: An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.
	reference: \|
	https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
	https://core.vmware.com/resource/vmsa-2024-0012-questions-answers
	https://knowledge.broadcom.com/external/article/326316/build-numbers-and-versions-of-vmware-vce.html
	tags: cve, cve2024, rce, vmsa, vmware

	http:
	- method: POST
	path:
	- '{{BaseURL}}/sdk'
	body: \|
	<soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
	<soap:Header><operationID>00000001-00000001</operationID></soap:Header>
	<soap:Body><RetrieveServiceContent xmlns="urn:internalvim25"><_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this></RetrieveServiceContent>
	</soap:Body></soap:Envelope>

	extractors:
	- type: regex
	part: body
	group: 1
	name: version
	regex:
	- '<version>([^<]*)</version>'

	- type: regex
	part: body
	group: 1
	name: build
	regex:
	- '<build>([^<]*)</build>'

	matchers:
	- type: dsl
	dsl:
	- compare_versions(version, "\>=7.0", "\<8.0")
	- compare_versions(build, "\<24026615")
	condition: and
	name: vcenter70x
	- type: dsl
	dsl:
	- compare_versions(version, "\>=8.0", "\<8.0.2")
	- compare_versions(build, "\<24005165")
	condition: and
	name: vcenter801
	- type: dsl
	dsl:
	- compare_versions(version, "=8.0.2")
	- compare_versions(build, "\<23929136")
	condition: and
	name: vcenter802