Previously patched vCenter vulnerabilities actively exploited

Broadcom once again released patches

Previously patched vCenter vulnerabilities actively exploited

Broadcom appears to be playing catchup regarding a recent update for critical vulnerabilities in VMware vCenter Server. These vulnerabilities, which enable remote code execution and privilege escalation, were supposedly fixed last September. However, the fix proved insufficient, and both vulnerabilities saw active exploitation. Broadcom has released a new update to close the leak, hopefully for real this time.

The vulnerabilities in question are CVE-2024-38812 and CVE-2024-38813. Broadcom’s initial patches on September 17 proved insufficient to fully fix them, at least for CVE-2024-38812. The company has now released revised fixes and strongly advises customers to apply them immediately.

Heap-overflow

CVE-2024-38812 is the most serious issue, a heap overflow vulnerability in the DCERPC protocol implementation. It received a near-maximum CVSS score of 9.8. It allows malicious actors to remotely execute code on the affected vCenter Server by sending network packets made for this purpose. They do require network access, though. DCERPC is the protocol vCenter uses to invoke remote procedures as if they were local.

There were no viable workarounds for this problem, so patching was the only effective solution, although Broadcom needed to throw in an additional patch to really close the leak. Broadcom has also confirmed that this vulnerability has been exploited in the wild. Those who want more clarity on this situation can refer to Broadcom’s FAQ.

Privilege-escalation

The second vulnerability, CVE-2024-38813, involves privilege escalation and has been ‘rewarded’ with a CVSS score of 7.5. This vulnerability allows attackers to escalate privileges all the way to root level, also via specially crafted network packets. As with the heap overflow flaw, no workarounds are available for this vulnerability.

Again, Broadcom recommends immediate patching. Although these are two different vulnerabilities, Broadcom released the patches side by side, possibly to prevent coordinated attacks that would exploit both vulnerabilities.

vCenter Server is the central system that allows users to manage virtual infrastructures on VMware’s vSphere virtualization platform. Broadcom has owned it for about a year now. It is widely used in data centers and large enterprises to manage virtual machines and host servers.

Also read: Broadcom is the boss at VMware and knows exactly how to optimize it