VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812)

Broadcom has released new patches for previously fixed vulnerabilities (CVE-2024-38812, CVE-2024-38813) in vCenter Server, one of which hasn’t been fully addressed the first time and could allow attackers to achieve remote code execution.

CVE-2024-38812 CVE-2024-38813

The vulnerabilities were privately reported by zbl & srs of team TZL – researchers who participated in the 2024 Matrix Cup in June 2024. Broadcom maintains that they are not currently aware of exploitation “in the wild.”

CVE-2024-38812 and CVE-2024-38813

VMware vCenter Server is enterprise software for managing VMware vSphere virtual environments.

CVE-2024-38812 is an unauthenticated heap-overflow vulnerability in the implementation of the DCERPC protocol that can lead to RCE and can be triggered by sending a specially crafted network packet to a vulnerable installation.

CVE-2024-38813 can be similarly triggered by attackers to escalate privileges to root.

Apply the new patches

Aside from completing the fix for CVE-2024-38812, the new updates resolve an operational issue created by the fist patch: session timeouts when accessing vCenter.

Broadcom strongly encourages customers to apply the new patches, listed in the updated advisory.

To prevent misunderstanding, the company has published a supplemental FAQ, which offers additional guidance.

CVE-2024-38812 and CVE-2024-38813 affect VMware vCenter and any products that contain vCenter, including VMware vSphere and VMware Cloud Foundation, the document spells out.

The provided patches are applicable to vCenter 7.0.3, 8.0.2, and 8.0.3, and there are asynchronous patches for VMware Cloud Foundation 4.x and 5.x.

The vulnerabilities also affect VMware vSphere 6.5 and 6.7, which are past their End of General Support dates.

“However, the last update for vSphere 6.7 contains updates to resolve this issue. There will not be an update for vSphere 6.5. If your organization has extended support please use those processes to request assistance,” the company advised.

“If there is any uncertainty about whether a system is affected, it should be presumed vulnerable, and immediate action should be taken.”

UPDATE (November 19, 2024, 06:35 a.m. ET):

Broadcom has update the supplemental FAQ document to say that “exploitation has occurred ‘in the wild’ for CVE-2024-38812 and CVE-2024-38813“.

OPIS OPIS

OPIS

Don't miss