Critical VMware vCenter Flaw: Broadcom Patches Urgent RCE Vulnerability
Broadcom has released updates to address a critical vulnerability in VMware vCenter Server that could lead to remote code execution. The vulnerability, identified as CVE-2024-38812, with a CVSS score of 9.8, is associated with a buffer overflow in the DCE/RPC protocol.
According to the developer, attackers with network access could exploit this vulnerability by sending specially crafted network packets, enabling them to execute remote code on the vCenter server.
This flaw is similar to two other remote code execution vulnerabilities—CVE-2024-37079 and CVE-2024-37080—which were addressed in June 2024. Both of these vulnerabilities also received a CVSS score of 9.8.
Additionally, the privilege escalation vulnerability CVE-2024-38813, rated 7.5, has been patched. It allows attackers with network access to elevate privileges to root level. The attack is also triggered by sending specially crafted network packets.
Both vulnerabilities were discovered by security researchers from the TZL team during the Matrix Cup cybersecurity competition held in China in June 2024.
The patches are available for the following versions:
- vCenter Server 8.0 (fixed in version 8.0 U3b);
- vCenter Server 7.0 (fixed in version 7.0 U3s);
- VMware Cloud Foundation 5.x (patch available in version 8.0 U3b);
- VMware Cloud Foundation 4.x (fixed in version 7.0 U3s).
Broadcom emphasized that, as of now, there is no evidence of these vulnerabilities being exploited in the wild, but users are strongly encouraged to update their systems to prevent potential attacks.
The vulnerabilities stem from memory management errors, creating the possibility of remote code execution through the exploitation of VMware vCenter services.
These developments coincided with the release of a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, highlighting the need to address cross-site scripting (XSS) vulnerabilities, which attackers can leverage to compromise systems.
