Broadcom has released fixes for two vulnerabilities affecting VMware vCenter Server that can be triggered by sending a specially crafted network packet, and could lead to remote code execution (CVE-2024-38812) or privilege escalation (CVE-2024-38813).
“Broadcom is not currently aware of exploitation ‘in the wild’,” the company says, but noted that organizations should promptly act to install one of the updated versions.
VMware has patched a similarly critical RCE flaw (CVE-2023-34048) in vCenter Server in October 2023, and Mandiant revealed a few months later that it had been exploited by a highly advanced China-backed espionage group for years.
About the vulnerabilities
VMware vCenter Server is software for managing VMware vSphere virtual environments.
CVE-2024-38812 is an unauthenticated heap-overflow vulnerability in the implementation of the DCE/RPC protocol that may potentially lead to RCE. The cause of CVE-2024-38813 has not been shared, but it may be exploited by authenticated attackers to escalate privileges to root.
They affect vCenter Server versions 8.0 and 7.0 and VMware Cloud Foundation versions 5.x and 4.x (since VMware Cloud Foundation contains vCenter).
Both vulnerabilities have been reported by researchers who participated in the 2024 Matrix Cup, a hacking competition that took place in Qingdao, China, in June.
What to do?
Admins are advised to upgrade to one of the fixed versions, since there are no alternative workarounds.
“While other mitigations may be available depending on your organization’s security posture, defense-in-depth strategies, and firewall configurations, each organization must evaluate the adequacy of these protections independently,” Broadcom states.
“The most reliable method to address these vulnerabilities is to apply the recommended patches.”
The company also reassured that updating vCenter will not affect running workloads: “vCenter is the management interface to a vSphere cluster. You will lose the use of the vSphere Client briefly during the update, and other management methods will be similarly impacted, but virtual machine and container workloads will be unaffected.”