VMware released patches for two critical vulnerabilities in its vCenter Server platform and warned that there’s a major risk of remote code execution attacks.
The first vulnerability tracked as CVE-2024-38812 with a CVSS score of 9.8 is a heap-overflow in th Distributed Computing Environment / Remote Procedure Call (DCERPC) protocol implementation within vCenter Server. An attacker with network access to the server could send a specially crafted packet to execute remote code.
The second vulnerability tracked as CVE-2024-38813 with a CVSS score of 7.5 is described as a privilege escalation vulnerability in which amalicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet.
The vulnerabilities impact VMware vCenter Server versions 7.0 and 8.0, as well as VMware Cloud Foundation versions 4.x and 5.x. VMware has provided fixed versions (vCenter Server 8.0 U3b and 7.0 U3s) and patches for Cloud Foundation users. No workarounds have been found for either vulnerability, making patching the only viable solution.
VMware credited the discovery of the issues to research teams participating in the 2024 Chinese Matrix Cup hacking competition.
