Detect VMware vCenter Server Out-of-bounds Write (CVE-2024-37079) in Google Chronicle
Detects exploitation attempts targeting CVE-2024-37079, an out-of-bounds write vulnerability (CWE-787) in Broadcom VMware vCenter Server. This KEV-listed vulnerability allows unauthenticated remote attackers to trigger memory corruption via malformed DCERPC requests to the vCenter management interface, potentially leading to remote code execution with SYSTEM-level privileges on the vCenter appliance.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_37079_vcenter_oob_write {
meta:
author = "df00tech"
description = "Detects CVE-2024-37079 exploitation: VMware vCenter Server out-of-bounds write via memory corruption signals and anomalous management port activity"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453"
cve = "CVE-2024-37079"
mitre_attack = "T1190"
events:
(
(
$e1.metadata.event_type = "PROCESS_UNCAUGHT_EXCEPTION"
and $e1.principal.hostname = /vcenter|vcs/
and $e1.target.process.file.full_path = /vpxd|vmdir|vmdird|vmafdd/
)
or
(
$e1.metadata.event_type = "NETWORK_CONNECTION"
and (
$e1.target.port = 443
or $e1.target.port = 902
or $e1.target.port = 5480
or $e1.target.port = 9443
)
and $e1.target.hostname = /vcenter|vcs/
and not $e1.principal.ip in %authorized_management_cidrs
)
or
(
$e1.metadata.event_type = "GENERIC_EVENT"
and $e1.principal.hostname = /vcenter|vcs/
and $e1.metadata.description = /segfault|heap-buffer-overflow|SIGSEGV|core dump|DCERPC|out.of.bounds|CVE-2024-37079/
)
)
condition:
$e1
}Chronicle YARA-L rule detecting CVE-2024-37079 exploitation through process crash events on vCenter hosts, anomalous inbound connections to vCenter management ports from unauthorized sources, and memory corruption log entries.
Data Sources
Required Tables
False Positives & Tuning
- vCenter processes restarted by VMware lifecycle manager during patching generating PROCESS_UNCAUGHT_EXCEPTION events
- Authorized monitoring platforms connecting to vCenter management ports from IPs outside documented management CIDRs
- Penetration testing engagements with authorized scope covering vCenter infrastructure
- High-availability failover events triggering abnormal vCenter process termination signals
Other platforms for CVE-2024-37079
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate vCenter DCERPC Malformed Request (Lab Only)
Expected signal: Network flow log entry showing TCP connection attempt to target:135 with large payload; vCenter DCERPC service log entry showing parse error or malformed packet rejection
- Test 2Trigger vCenter vpxd Process Crash via Resource Exhaustion (Lab Only)
Expected signal: Syslog entry on vCenter appliance: vpxd[PID]: segfault at [address]; core dump file created at /var/core/vpxd-[timestamp].core
- Test 3Probe vCenter Management Ports from Unauthorized IP (Lab Only)
Expected signal: Firewall/network logs showing TCP SYN packets from scanner IP to vCenter management ports; vCenter access logs showing connection attempts to /ui, /sdk, VAMI endpoints
- Test 4Validate vCenter Log Forwarding and Crash Pattern Matching
Expected signal: Syslog message appearing in SIEM ingestion pipeline with process name vpxd and severity daemon.crit containing the synthetic crash string
Unlock Pro Content
Get the full detection package for CVE-2024-37079 including response playbook, investigation guide, and atomic red team tests.