www.belgium.be Logo of the federal government

WARNING: VMWARE VCENTER SERVER UPDATES ADDRESS HEAP-OVERFLOW AND PRIVILEGE ESCALATION VULNERABILITIES, PATCH IMMEDIATELY!

Reference: 
Advisory #2024- 224
Version: 
1.3
Affected software: 
VMware vCenter Server
VMware Cloud Foundation
Type: 
Heap-overflow and privilege escalation
CVE/CVSS: 
CVE-2024-38812 / CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-38813 / CVSS 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

Risks

VMware vCenter Server has a critical heap-overflow vulnerability (CVE-2024-38812) in its DCERPC protocol, with a CVSSv3 score of 9.8, potentially leading to remote code execution. Remote code execution can lead to severe outcomes, including data loss, service interruptions, ransomware attacks, the spread of malware, and the attacker's ability to move laterally to compromise other critical IT systems.

A threat actor could exploit the privilege escalation vulnerability (CVE-2024-38813) to escalate privileges to root, thereby granting them full control over the machine.

UPDATE 2024-10-22: VMware has determined that the vCenter patches released on September 17, 2024 did not fully address CVE-2024-38812. All customers are strongly encouraged to apply the patches currently listed in the Response Matrix in the vendor's advisory. Additionally, patches for 8.0 U2 line are also available.

VMware published a supplemental FAQ was created for additional clarification.

Description

CVE-2024-38812 is a heap-overflow vulnerability in the implementation of the DCERPC protocol. By crafting a specific network packet, a malicious actor with network access could exploit this vulnerability, potentially leading to remote code execution. Although it has not been exploited yet, similar vulnerabilities in related software have been targeted by threat actors in the past.

Update 2024-11-19: VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812. Urgent patching is advised!

CVE-2024-38813 is a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet.

Update 2024-11-19: VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38813. Urgent patching is advised!

Recommended Actions

Patch
 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. Please note there is no workaround available for these vulnerabilities.
 
Monitor/Detect
 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References