Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution

Broadcom on Tuesday published fixes to address a significant security hole hitting VMware vCenter Server that may pave the door for remote code execution.

The vulnerability, identified as CVE-2024-38812 (CVSS score: 9.8), has been characterized as a heap-overflow issue in the DCE/RPC interface.

"A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution," the virtualization services provider stated in an advisory.

The deficiency is comparable to two previous remote code execution issues, CVE-2024-37079 and CVE-2024-37080 (CVSS scores: 9.8), that VMware fixed in vCenter Server in June 2024.

Also resolved by VMware is a privilege escalation weakness in the vCenter Server (CVE-2024-38813, CVSS score: 7.5) that might allow a hostile actor with network access to the instance to escalate privileges to root by delivering a carefully designed network packet.

Security researchers zbl and srs of team TZL have been credited with identifying and disclosing the two issues at the Matrix Cup cybersecurity competition held in China back in June 2024. They have been fixed in the following versions -

vCenter Server 8.0 (Fixed in 8.0 U3b)

vCenter Server 7.0 (Fixed in 7.0 U3s)

VMware Cloud Foundation 5.x (Fixed in 8.0 U3b as an asynchronous patch)

VMware Cloud Foundation 4.x (Fixed in 7.0 U3s as an asynchronous patch)

Broadcom said it's not aware of malicious exploitation of the two vulnerabilities, but has recommended customers to upgrade their installations to the newest versions to defend against possible dangers.

"These vulnerabilities are memory management and corruption issues which can be used against VMware vCenter services, potentially allowing remote code execution," the firm warned.

The revelation comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advice advising enterprises to work towards eradicating cross-site scripting (XSS) issues that threat actors might use to access networks.

"Cross-site scripting vulnerabilities arise when manufacturers fail to properly validate, sanitize, or escape inputs," the government agencies added. "These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts."