Preface: In computer security, arbitrary code execution (ACE) is an attacker’s ability to run any commands or code of the attacker’s choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution.

Background: vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts.

Vulnerability details: The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.

The vendor did not disclose details. Are there any design flaws similar to the following:

Ref: The HTTP header offers two distinct ways of specifying where the request ends: the Transfer-Encoding header and the Content-Length header. An HTTP request smuggling vulnerability occurs when an attacker sends both headers in a single request. This can cause either the front-end or the back-end server to incorrectly interpret the request, passing through a malicious HTTP query.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-22274

Initial publication: 14th May 2024

Preface: What happens if a website uses a user-supplied URL in a URL fragment to redirect the logged-in user to the requested page?

Background: CWE 601 – An open redirect vulnerability occurs when an application allows the user to control redirects or forward to another URL. If the application does not validate untrusted user input, an attacker could provide a URL that redirects an unsuspecting victim from a legitimate domain to the attacker’s phishing site.

Vulnerability details: CVE-2024-23664: A URL redirection to untrusted site (‘Open Redirect’) (CWE-601) vulnerability in FortiAuthenticator may allow an attacker to redirect users to an arbitrary website via a crafted URL.

Ref: You should validate the workspace ID first. If the workspace ID is valid, you can proceed with the HTTP request and return the response. However, if the workspace ID is invalid, you should handle the error appropriately.

Official details: Please refer to the link for details – https://fortiguard.fortinet.com/psirt/FG-IR-23-465

Official last updated on May 8, 2024. An early advisory for this vulnerability was issued on March 5, 2024.

Preface: If you recall, this design flaw was discovered in April 2021. Has it been fixed? Or it is vendors fine-tuned their vulnerability management strategies?

Background: A Transfer Ring is an array of Transfer Request Blocks (TRBs). Each TRB points to a block of contiguous data (up to 64 KB) that will be transferred between hardware and memory as a single unit. The xHCI does not require this constraint. Any buffer pointed to by a Normal, Data Stage, or Isoch TRB in a TD may be any size between 0 and 64K bytes in size. For instance, if when an OS translates a virtual memory buffer into a list of physical pages, some of the entries in the list reference multiple contiguous pages, the flexible Length fields of TRBs allow a 1:1 mapping of list 68 entries to TRBs, i.e. a multi-page list entry does not need to be defined as multiple page sized TRBs.

Vulnerability details: VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

Official announcement: Please refer to the link for details – https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24266

This announcement original published on 20th Feb 2024

Preface: When two components have problems in the same place. If vendor did not specify the details in clear. In this circumstances, the design weakness looks the same.

Background: The Enhanced Authentication Plugin (EAP) is an extra software package that doesn’t come pre-installed. Administrators need to install it on client computers used for administration to allow direct login when using the VMware vSphere Client through a web browser.

The VMware EAP is a deprecated browser plugin that enables seamless single sign-on (SSO) to vSphere’s management interface from client workstations. It is an optional feature that stopped receiving support with the release of VMware vCenter Server 7.0.0u2 in March 2021.

Vulnerability details:

Session Hijack Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22250) – The VMware Enhanced Authentication Plug-in (EAP) contains a Session Hijack vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin (CVE-2024-22245) – The VMware Enhanced Authentication Plug-in (EAP) contains an Arbitrary Authentication Relay vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.6.

Official announcement: Please refer to the link for details:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24257

https://nvd.nist.gov/vuln/detail/CVE-2024-22250

https://nvd.nist.gov/vuln/detail/CVE-2024-22245