Additional update needed to fix for VMware vCenter Server vulnerability

This Alert is intended for U-M IT staff who are responsible for systems running VMware vCenter Server.

New Information

VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address a critical vulnerability that could lead to possible remote code execution (CVE-2024-38812). Please update vCenter Server as soon as possible after appropriate testing. The patches are currently listed in the Response Matrix of VMSA-2024-0019.

Because of the severity of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).


The following is the original Alert from September 17, 2024. New articles have been added to the References section of this Alert.

Summary

VMware has released updates to address critical vulnerabilities in VMware vCenter Server and VMware Cloud Foundation that could lead to possible remote code execution (CVE-2024-38812) and escalation of privileges to root (CVE-2024-38813). Affected VMware servers and components should be updated as soon as possible after appropriate testing.

Problem

The critical vulnerabilities in VMware vCenter Server can be exploited to enable a threat actor with network access to vCenter Server to send a specially crafted network packet to:

  • Trigger a vulnerability to potentially lead to remote code execution.
  • Escalate privileges to root.

Threats

At the time of publication for this Alert, IA is not aware of active exploitation.

Affected Versions

Any version of vCenter Server or VMware Cloud Foundation prior to fixed versions 8.0 U3b and 7.0 U3t, as listed in the Response Matrix in VMSA-2024-0019.

Action Items

Update vCenter Server as soon as possible after appropriate testing. Because of the severity of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Links to updates and additional information can be found in VMSA-2024-0019.

Technical Details

According to Broadcom, these vulnerabilities are memory management and corruption issues which can be used against VMware vCenter services, potentially allowing remote code execution. CVE-2024-38812 contains a heap-overflow vulnerability in the implementation of the DCERPC protocol.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.