Introduction

Broadcom has released critical software updates to address significant security vulnerabilities in VMware vCenter Server, specifically CVE-2024-38812 and CVE-2024-38813 [3] [8]. These vulnerabilities pose a substantial risk, potentially leading to remote code execution and full system compromise [6]. The updates are essential for maintaining the security and integrity of affected systems.

Description

Broadcom has released critical software updates to address the security vulnerabilities tracked as CVE-2024-38812 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] and CVE-2024-38813 in VMware vCenter Server. CVE-2024-38812, which has a CVSSv3 base score of 9.8 [1], is a critical heap-overflow issue associated with the Distributed Computing Environment/Remote Procedure Call (DCERPC) protocol implementation [6]. This vulnerability can be exploited by an unauthenticated attacker with network access who sends specially crafted packets, potentially leading to remote code execution (RCE) and full system compromise [6]. Although there have been no known instances of exploitation in the wild [6], the potential risk remains significant [6]. The flaw was initially reported by zbl and srs from team TZL during the Matrix Cup cybersecurity competition in China [5] [9].

VMware acknowledged that the patches released on September 17, 2024 [5] [9], were insufficient to fully resolve CVE-2024-38812. In response, the company issued an updated advisory confirming that new patches [7], including fixes for both CVE-2024-38812 and the related privilege escalation vulnerability CVE-2024-38813, were released on October 21, 2024 [6] [8]. The updated patches fully mitigate the risk associated with CVE-2024-38812. Affected products include VMware vCenter Server versions 7.0.3, 8.0.2, and 8.0.3 [3], as well as VMware Cloud Foundation versions 4.x and 5.x, including 5.1.x. Specific fixed versions are as follows:

  • VMware Cloud Foundation 4.x – Update to 7.0 U3t
  • VMware Cloud Foundation 5.1.x – Update to 8.0 U2e
  • VMware Cloud Foundation 5.x – Update to 8.0 U3d
  • VMware vCenter Server 7.0 – Update to 7.0 U3t
  • VMware vCenter Server 8.0 – Update to 8.0 U2e or 8.0 U3d

Users can download the latest patches by logging into the Broadcom Support Portal. Additional guidance on patching and updating vCenter Server 8.0 deployments [8], along with release notes detailing the resolved security issues, is also available. Currently, there are no known mitigations for CVE-2024-38812 beyond patching, and organizations are urged to update their systems immediately to mitigate the risk posed by this vulnerability [6]. For further details on the impact of these vulnerabilities on VMware products, users are encouraged to refer to VMSA-2024-0019 and consult VMware’s official documentation for guidance on the asynchronous patching process for VMware Cloud Foundation [10]. Organizations with extended support for VMware vSphere 6.5 and 6.7, which are past their End of General Support dates [3], should follow their processes for assistance [3], as the last update for vSphere 6.7 includes fixes for this issue [3], while there will be no updates for vSphere 6.5 [3]. Any system suspected to be affected should be presumed vulnerable [3], prompting immediate action [3].

Conclusion

The release of these critical updates underscores the importance of timely patching to safeguard systems against potential exploitation. Organizations using affected VMware products must prioritize the implementation of these patches to prevent remote code execution and system compromise. As the cybersecurity landscape evolves, maintaining vigilance and adhering to best practices in system updates and security protocols remain crucial to mitigating future risks.

References

[1] https://www.virtualizationhowto.com/2024/10/vmware-vcenter-server-vmsa-2024-0019-critical-vulnerability-patch-released/
[2] https://www.redlegg.com/blog/emergency-vulnerability-2024-10-22-vmware
[3] https://www.helpnetsecurity.com/2024/10/22/cve-2024-38812-cve-2024-38813-fixed-again/
[4] https://knowledge.broadcom.com/external/article/380036/release-notes-vmware-vcenter-server-80-u.html
[5] https://thehackernews.com/2024/10/vmware-releases-vcenter-server-update.html
[6] https://socradar.io/critical-vmware-vulnerability-patched-again-in-vcenter-server-cve-2024-38812/
[7] https://securityaffairs.com/170096/security/vmware-failed-to-fix-rce-vcenter-server-cve-2024-38812.html
[8] https://knowledge.broadcom.com/external/article/380043/release-notes-vmware-vcenter-server-80-u.html
[9] https://www.techepages.com/vmware-releases-vcenter-server-update-to-fix-critical-rce-vulnerability/
[10] https://angrysysops.com/2024/10/22/vmware-vcenter-server-vulnerability-patch-released-vmsa-2024-001/
[11] https://knowledge.broadcom.com/external/article/380063/release-notes-vmware-vcenter-server-70-u.html