Additional update needed to fix for VMware vCenter Server vulnerability
This Alert is intended for U-M IT staff who are responsible for systems running VMware vCenter Server.
New Information
VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address a critical vulnerability that could lead to possible remote code execution (CVE-2024-38812). Please update vCenter Server as soon as possible after appropriate testing. The patches are currently listed in the Response Matrix of VMSA-2024-0019.
Because of the severity of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
The following is the original Alert from September 17, 2024. New articles have been added to the References section of this Alert.
Summary
VMware has released updates to address critical vulnerabilities in VMware vCenter Server and VMware Cloud Foundation that could lead to possible remote code execution (CVE-2024-38812) and escalation of privileges to root (CVE-2024-38813). Affected VMware servers and components should be updated as soon as possible after appropriate testing.
Problem
The critical vulnerabilities in VMware vCenter Server can be exploited to enable a threat actor with network access to vCenter Server to send a specially crafted network packet to:
- Trigger a vulnerability to potentially lead to remote code execution.
- Escalate privileges to root.
Threats
At the time of publication for this Alert, IA is not aware of active exploitation.
Affected Versions
Any version of vCenter Server or VMware Cloud Foundation prior to fixed versions 8.0 U3b and 7.0 U3t, as listed in the Response Matrix in VMSA-2024-0019.
Action Items
Update vCenter Server as soon as possible after appropriate testing. Because of the severity of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21). Links to updates and additional information can be found in VMSA-2024-0019.
Technical Details
According to Broadcom, these vulnerabilities are memory management and corruption issues which can be used against VMware vCenter services, potentially allowing remote code execution. CVE-2024-38812 contains a heap-overflow vulnerability in the implementation of the DCERPC protocol.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (Help Net Security, 10/22/24)
- VMware fixes bad patch for critical vCenter Server RCE flaw (Bleeping Computer, 10/22/24)
- VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) (Broadcom, 9/17/24)
- CVE-2024-38812 (MITRE, 6/19/24)
- CVE-2024-38813 (MITRE, 6/19/24)
- VMware Patches Remote Code Execution Flaw Found in Chinese Hacking Contest (Security Week, 9/17/24)