Broadcom Releases Patch for vCenter Server Multiple Vulnerabilities (CVE-2024-38812 & CVE-2024-38813)

VMware vCenter is vulnerable to two security vulnerabilities, tracked as CVE-2024-38812 & CVE-2024-38813. One vulnerability (CVE-2024-38812) has been given a critical severity rating that may allow an attacker to perform remote code execution. The second vulnerability (CVE-2024-38813) may result in privilege escalation.

CISA added both CVEs to its Known Exploited Vulnerabilities Catalog, acknowledging their active exploitation. CISA urged users to patch the vulnerabilities before December 11, 2024.

VMware vCenter is an advanced server management software. The software has a centralized platform for controlling vSphere environments for visibility across hybrid clouds. The software protects the vCenter Server Appliance and related services with native high availability (HA) and a recovery time objective of less than 10 minutes.

VMware vCenter Server Heap-overflow Vulnerability (CVE-2024-38812)

The heap overflow vulnerability in the implementation of the DCERPC protocol has a critical severity rating with a CVSSv3 base score of 9.8. An attacker must have network access to the vCenter Server to exploit the vulnerability. An attacker may exploit this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.

VMware vCenter Privilege Escalation Vulnerability (CVE-2024-38813)

The privilege escalation vulnerability has an important severity rating with a CVSSv3 base score of 7.5. An attacker must have network access to the vCenter Server to exploit the vulnerability. An attacker may exploit this vulnerability by sending a specially crafted network packet to escalate privileges to root.

Affected Products

  • VMware vCenter Server
  • VMware Cloud Foundation

Affected Versions

  • VMware vCenter Server Virtual Appliance 7.0 Update 3s before build 24201990
  • VMware vCenter Server Virtual Appliance 8.0 Update 3b before build 24262322

Mitigation

Broadcom updated the advisory on 22 October 2024, stating that the vCenter patches released on September 17, 2024, did not fully address CVE-2024-38812.

The new patched versions are as follows:

  • VMware vCenter Server 8.0 U3d
  • VMware vCenter Server 8.0 U2e
  • VMware vCenter Server 7.0 U3t
  • VMware Cloud Foundation Async patch to 8.0 U3d
  • VMware Cloud Foundation Async patch to 8.0 U2e
  • VMware Cloud Foundation Async patch to 7.0 U3t

For more information about the mitigation, please refer to Broadcom Security Advisory (VMSA-2024-0019).

Qualys Detection

Qualys customers can scan their devices with QID 216334 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

Leave a Reply

Your email address will not be published. Required fields are marked *