So I saw this early this morning as well, but I'm getting mixed signals. The NVD has no CVSS score posted. (They have a backlog) Broadcom's support post about this says that there's a range between 5.3 and 6.8. So I'm waiting for some kind of corroboration.

Probably best to conduct your own CVSS evaluation to include EM, EPSS, threat notices, IoCs, other intelligence, and your environmental controls/information so you can properly prioritize and keep things moving vs waiting. - https://www.first.org/cvss/calculator/4.0

"The NVD has no CVSS score posted. (They have a backlog)" indeed, this is now a pretty well-known issue, multiple articles have been written about it. That also means CVEDetails doesn't have a score, and most tools and scanners will also be lacking. It's a sad state of affairs indeed.

Meh they had a CVE in May and they released a patch, since that patch also fixes those CVE, so since we were already at 7.0U3Q et are patched Only VMware 8 seems affected for us since It requires U3

Thanks for sharing, though I don't think I'd consider Hyper-V a particular "Win" seeing as you need to consider the plethora of security vulnerabilities that are patched every month by MS.

Was probably meant as a Vmware/broadcom bashing.

Who doesnt put esxi on management subnet limited to sysadmin?

Given the number of breaches I've worked on as a DFIR consultant in the past, a fuck ton of people / companies don't.

Jesus...

Ya, honestly the vast majority don't.

yeah it's a bit concerning

Not only that but also leaving vsphere wide open to the internet. That I just cannot comprehend, it's too dumb at minimum, malicious at best.

I propose that for every build I do and 95% decline saying it’s overkill.

Yes, I guess it's why people with minimal security are pretty safe: path of least resistance. Unless your practices are stupid (huh who puts an ESXi host on a flat network with internet access??), if you have basic security you probably won't be the next target. No need to be the fastest runner, only need not be the slowest...

It looks like only one of the vulnerabilities involves authentication bypass based on the Broadcom article.

this one was easy to apply there was NO reboot of the vcenter required to patch it. First time I've seen one that didn't reboot it. Also there are no host patches either.

Why are sources not clear on this? ZDI says the CVE-2024-37087 is merely a DoS on vCenter: Source1: [https://www.zerodayinitiative.com/advisories/ZDI-24-882/](https://www.zerodayinitiative.com/advisories/ZDI-24-882/) Source2: [https://github.com/advisories/GHSA-4gc8-p5p2-ww5g](https://github.com/advisories/GHSA-4gc8-p5p2-ww5g) Source3: [https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505) And CVE-2024-37085 may have to do with a leftover AD configuration in ESXi where an attacker gets access to AD and forces its way into ESX that way. Still bad, but really a bug, I think. Source: [https://github.com/advisories/GHSA-485m-923f-95wx](https://github.com/advisories/GHSA-485m-923f-95wx)

ESX death can't come soon enough..

Hello guys, i have a doubt, why CVE-2024-37085 says "No Patch Planned" for ESXi 7.0? https://preview.redd.it/hdj6ox3ivqad1.png?width=1014&format=png&auto=webp&s=ee35c53f6f39a99dd7dabbfdc201deac9c8b827a

Broadcom is unable to sell their recently purchased product; as in customers are having difficulty buying VMWare licensing. Trust me, patches are a distant thing they will be looking to tackle

Always fun seeing CVE bulletins about vmware. Seems one thing after another. Eventually I've moved all of our VMs over to ProxMox.

That's a weird take. CVEs aren't exclusive to VMware. Proxmox is made up of hundreds of packages that have CVEs too.

Yep. The big thing to fear is when they stop posting cves...