VMware vCenter Server Vulnerabilities Actively Exploited in Attacks

Broadcom has issued a warning about two critical vulnerabilities identified in VMware vCenter Server. One of these vulnerabilities, enabling remote code execution (RCE), is tracked as CVE-2024-38812 and is currently being actively exploited in cyberattacks.

Details of the Vulnerabilities

1. CVE-2024-38812
   This vulnerability arises from a heap overflow issue in the DCE/RPC protocol implementation in VMware vCenter Server. An attacker can exploit this flaw by sending specially crafted network packets, enabling remote code execution and potentially gaining full control over the system. The vulnerability has a CVSSv3 score of 9.8, categorizing it as highly critical.
2. CVE-2024-38813
   The second vulnerability allows attackers to escalate privileges to root by sending maliciously crafted network packets. This vulnerability has a CVSSv3 score of 7.5, indicating a moderate level of risk.

Affected Versions

The following systems are affected by these vulnerabilities:

• VMware vCenter Server versions 7.0 and 8.0
• VMware Cloud Foundation versions 4.x and 5.x

Broadcom’s Response: Patches and Updates

Broadcom initially released patches to address these vulnerabilities on September 17, 2024. However, on October 21, the company announced that the original patch for CVE-2024-38812 was incomplete and urged customers to apply the new fixes.

On November 18, 2024, Broadcom updated its advisory (VMSA-2024-0019.3) to confirm that both vulnerabilities are being actively exploited in the wild.

Recommendations for Mitigation

Broadcom strongly advises VMware users to install the latest updates immediately, as no workarounds or temporary fixes are available for these vulnerabilities.

Available Updates:

• VMware vCenter Server 8.0: Update to version 8.0 U3d
• VMware vCenter Server 7.0: Update to version 7.0 U3t
• VMware Cloud Foundation 5.x: Apply the asynchronous patch for version 8.0 U3d
• VMware Cloud Foundation 4.x: Apply the asynchronous patch for version 7.0 U3t

Broadcom has also published an FAQ document with additional guidance on deploying these critical updates and addressing potential issues during the update process.

The Importance of Timely Updates

This incident highlights the critical need for promptly applying security updates, particularly for infrastructure components like VMware vCenter Server. With the potential for remote code execution and privilege escalation, organizations are urged to:

• Review their VMware deployments and apply the necessary patches immediately.
• Monitor systems for any signs of compromise.
• Conduct thorough security assessments of systems that may have been exposed.

Conclusion

Given the severe risk posed by these vulnerabilities, users must act swiftly to protect their systems. Regularly monitoring VMware security advisories and implementing recommended protective measures is crucial to safeguarding both individual systems and broader infrastructure.