06/12/2024-06/19/2024 VMware Issues Patches, Google Warns of Pixel Firmware Security Flaw, Exploit for Veeam Recovery Orchestrator Auth Bypass And More.

1. VMware Issues Patches for Cloud Foundation, vCenter Server, and vSphere ESXi

VMware has released updates to fix critical flaws in Cloud Foundation, vCenter Server, and vSphere ESXi, which could lead to privilege escalation and remote code execution.

The vulnerabilities are:

• CVE-2024-37079 & CVE-2024-37080 (CVSS 9.8): Heap-overflow issues in the DCE/RPC protocol allowing remote code execution via crafted network packets.
• CVE-2024-37081 (CVSS 7.8): Local privilege escalation in vCenter due to sudo misconfiguration, enabling non-admin users to gain root access.

Previously, in October 2023, VMware patched CVE-2023-34048 (CVSS 9.8), another critical DCE/RPC flaw. These issues affect vCenter Server versions 7.0 and 8.0, patched in 7.0 U3r, 8.0 U1e, and 8.0 U2d. Users should promptly apply these patches despite no known active exploits.

2. Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day

Google has warned of a zero-day security flaw in Pixel Firmware, CVE-2024-32896, being exploited in the wild. This high-severity vulnerability is an elevation of privilege issue.The company did not share any additional details related to the nature of attacks exploiting it, but noted “there are indications that CVE-2024-32896 may be under limited, targeted exploitation.”

The June 2024 security update addresses a total of 50 security vulnerabilities, five of which relate to various components in Qualcomm chipsets. Key patches address a Modem DoS issue and information disclosure flaws in GsmSs, ACPM, and Trusty. The update is available for Pixel 5a with 5G, Pixel 6 series, Pixel 7 series, Pixel 8 series, and Pixel Fold. GrapheneOS maintainers clarified that CVE-2024-32896 and CVE-2024-29748 concern the same vulnerability affecting all devices but mitigations are specific to Pixels. 

3. Exploit for Veeam Recovery Orchestrator Auth Bypass Available, Patch Now

A proof-of-concept (PoC) exploit for Veeam Recovery Orchestrator’s critical authentication bypass vulnerability, CVE-2024-29855, has been released by researcher Sina Kheirkhah. This vulnerability, rated 9.0 (critical) on the CVSS scale, impacts Veeam Recovery Orchestrator (VRO) versions 7.0.0.337, 7.1.0.205, and older.

The flaw allows unauthenticated attackers to log into the VRO web UI with admin privileges using a hardcoded JSON Web Token (JWT) secret, enabling them to generate valid tokens. Veeam recommends upgrading to versions 7.1.0.230 and 7.0.0.379 to mitigate the issue.

Kheirkhah’s post shows the vulnerability is easier to exploit than described by Veeam, bypassing some requirements like knowing the exact username and role. The public availability of this exploit heightens the risk, making prompt patching essential.

4. New Malware Targets Exposed Docker APIs for Cryptocurrency Mining

Cybersecurity researchers have identified a new malware campaign targeting exposed Docker API endpoints to deliver cryptocurrency miners and other malicious payloads. The tools include a remote access utility for executing additional malware and propagating via SSH, according to a Datadog report.

This campaign shows similarities to the previous Spinning YARN activity, which targeted misconfigured services like Apache Hadoop YARN and Docker for cryptojacking. Attackers focus on Docker servers with open ports, starting with reconnaissance and privilege escalation.

Malware is delivered through a shell script named “vurl,” which includes other scripts such as “b.sh” and “ar.sh.” These scripts fetch further payloads, disable firewalls, and scan for vulnerable hosts. The campaign also uses Go-based binaries like “chkstart” to complicate analysis and facilitate remote access, and tools like “exeremo” for spreading infection and “fkoths” to erase traces of the malware.