VMware vCenter Server RCE Vulnerability Actively Exploited in Attacks


Broadcom has issued an urgent warning that two critical vulnerabilities in VMware vCenter Server are now being actively exploited in the wild.

The more severe of the two flaws is a remote code execution (RCE) vulnerability tracked as CVE-2024-38812, which carries a maximum CVSSv3 score of 9.8.

SIEM as a Service

CVE-2024-38812 stems from a heap overflow weakness in the vCenter Server’s implementation of the DCE/RPC protocol. An attacker with network access can trigger this vulnerability by sending a specially crafted packet, potentially leading to remote code execution and full system compromise.

The second vulnerability, CVE-2024-38813, allows attackers to escalate privileges to root by sending maliciously crafted network packets. It has a CVSSv3 score of 7.5.

Both vulnerabilities were initially reported by researchers zbl & srs of team TZL during China’s 2024 Matrix Cup hacking contest. They affect VMware vCenter Server versions 7.0 and 8.0 and VMware Cloud Foundation versions 4.x and 5.x.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders - Attend Free Webinar

Broadcom, which now owns VMware, first released patches for these vulnerabilities on September 17, 2024. However, on October 21, the company updated its advisory, stating that the original fix for CVE-2024-38812 was incomplete. Customers were strongly urged to apply the new patches immediately.

The confirmation of active exploitation came on November 18, 2024, when Broadcom updated its security advisory (VMSA-2024-0019.3) to note that both CVE-2024-38812 and CVE-2024-38813 are being exploited in the wild.

Given these vulnerabilities’ critical nature and active exploitation, organizations using affected VMware products are strongly advised to apply the latest security updates without delay. No workarounds are available for these flaws, making patching the only effective mitigation strategy.

The latest fixed versions for affected products are:

  • VMware vCenter Server 8.0: Update to version 8.0 U3d
  • VMware vCenter Server 7.0: Update to version 7.0 U3t
  • VMware Cloud Foundation 5.x: Apply async patch to 8.0 U3d
  • VMware Cloud Foundation 4.x: Apply async patch to 7.0 U3t

Broadcom has also released a supplemental FAQ providing additional guidance on deploying these critical security updates and addressing known issues that may impact systems that have already been upgraded.

This incident underscores the importance of promptly applying security updates, especially for critical infrastructure components like VMware vCenter Server.

Organizations are advised to review their VMware deployments, apply the necessary patches, and monitor for any signs of compromise. Given the potential for remote code execution and privilege escalation, any systems that may have been exposed should undergo thorough security assessments.

Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox



Source link