Vmware vulnerabilities have been exploited in attacks after the initial released patches failed to fix the flaw
The vulnerabilities are tracked as CVE-2024-38812 and CVE-2024-38813, released on September 17th, but then issued an October update to the original patches after admitting its initial effort did not completely address either vulnerability.
Now, Broadcom has issued the second patch for both vCenter bugs, and the vendor assured customers it was not currently aware of exploitation in the wild.
The first vulnerability tracked as CVE-2024-38812 with a CVSS score of 9.8 is a critical heap-overflow vulnerability in the handling of the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol. An attacker with network access could exploit this flaw by sending a specially crafted packet, potentially allowing them to remotely execute malicious code on a vulnerable system.
The second vulnerability tracked as CVE-2024-38813 with a CVSS 7.5 is a privilege escalation vulnerability. This one also requires network access to vCenter Server, and assuming an attacker has that, they can exploit the bug to escalate privileges to root.
Both CVEs put versions 7 and 8 of vCenter Server and versions 4 and 5 of VMware Cloud Foundation at risk of exploitation.
Broadcom addressed the vulnerabilities with the release of the following versions:
- vCenter Server 8.0 U3b and 7.0 U3s
- VMware Cloud Foundation 5.x (Fixed in 8.0 U3b as an asynchronous patch)
- VMware Cloud Foundation 4.x (Fixed in 7.0 U3s as an asynchronous patch)
