Broadcom has released an urgent alert indicating that VMware vCenter Server is currently under attack due to two critical vulnerabilities.
One of the vulnerabilities, known as CVE-2024-38812, is a remote code execution (RCE) flaw with a maximum CVSSv3 score of 9.8.
The CVE-2024-38812 vulnerability arises from a heap overflow issue in the vCenter Server’s implementation of the DCE/RPC protocol. By sending a specially crafted packet, an attacker with network access can exploit this vulnerability, potentially leading to remote code execution and complete system compromise.
The other vulnerability, CVE-2024-38813, enables threat actors to elevate privileges to root by sending maliciously crafted network packets. This vulnerability has a CVSSv3 score of 7.5.
These vulnerabilities were discovered by researchers zbl & srs of team TZL during China’s 2024 Matrix Cup hacking event. They impact VMware vCenter Server versions 7.0 and 8.0 as well as VMware Cloud Foundation versions 4.x and 5.x.
Following the initial detection of these vulnerabilities, Broadcom, the current owner of VMware, issued patches on September 17, 2024. However, an update on October 21 mentioned that the original fix for CVE-2024-38812 was inadequate, urging customers to promptly apply the new patches.
On November 18, 2024, Broadcom confirmed active exploitation of both CVE-2024-38812 and CVE-2024-38813, as indicated in its security advisory (VMSA-2024-0019.3).
Due to the critical nature and ongoing exploitation of these vulnerabilities, it is highly recommended that organizations utilizing affected VMware products promptly install the latest security updates. As there are no workarounds available, patching remains the sole effective course of action.
The updated versions for the impacted products are:
- For VMware vCenter Server 8.0: Upgrade to version 8.0 U3d
- For VMware vCenter Server 7.0: Upgrade to version 7.0 U3t
- For VMware Cloud Foundation 5.x: Apply async patch to 8.0 U3d
- For VMware Cloud Foundation 4.x: Apply async patch to 7.0 U3t
Broadcom has provided a supplementary FAQ to offer further guidance on deploying these critical security updates and addressing any known issues that may affect systems that have already been updated.
This incident emphasizes the urgency of promptly applying security updates, particularly for vital infrastructure components like VMware vCenter Server.
It is recommended that organizations review their VMware setups, install the required patches, and stay vigilant for any signs of compromise. Given the risk of remote code execution and privilege escalation, any potentially exposed systems should undergo comprehensive security evaluations.
The article “VMware vCenter Server RCE Vulnerability Actively Exploited in Attacks” was published on Cyber Security News.