PoC Exploit Released for VMware vCenter CVE-2024-37081 Vulnerability
A security researcher has published a proof-of-concept (PoC) targeting a recently patched high-severity CVE-2024-37081 vulnerability in the VMware vCenter Server. With a CVSS score of 7.8, this vulnerability, rooted in the misconfiguration of sudo permissions, poses a significant risk, allowing authenticated local users with non-administrative privileges to escalate their access to root on vCenter Server Appliance.
The following versions of vCenter Server are impacted by this vulnerability:
- vCenter Server: 8.0 and 7.0
- Cloud Foundation (vCenter Server): 5.x and 4.x
Security researcher Matei “Mal” Badanoiu has been credited with the discovery and detailed reporting of this flaw. The vulnerability arises from a misconfiguration in the “/etc/sudoers” file, which improperly preserves environmental variables (such as “PYTHONPATH” and “VMWARE_PYTHON_PATH”) when executing sudo commands. This misconfiguration enables attackers to run arbitrary system commands as root, circumventing the intended security measures.
The crux of the issue lies in the “Defaults env_keep” parameter within the “/etc/sudoers” file. This parameter’s misconfiguration allows the propagation of dangerous environmental variables during sudo command execution. As a result, several sudo users and groups are susceptible, including %operator, %admin, infraprofile, vpxd, sts, and pod.
By manipulating these environmental variables prior to running sudo commands, an attacker can:
- Load Malicious Python Code: Attackers can direct the system to execute malicious Python code from controlled locations (e.g., “/tmp/”), resulting in the execution of arbitrary commands with root privileges.
- Execute Malicious Scripts/Executables: Instead of running legitimate scripts or executables, the attacker can substitute them with malicious ones, again achieving root-level command execution.
- Exploit Malicious Sudo Flags: Attackers can introduce flags in sudo commands that allow arbitrary file reading with root privileges.
VMware has addressed this vulnerability in the following fixed versions:
