VMware has pushed a second patch for a critical, heap-overflow bug in the vCenter Server that could allow a remote attacker to fully compromise vulnerable systems after the first software update, issued last month, didn't work.
Plus, in the same security update, VMware fixed (again) a make-me-root flaw in vCenter that's pretty nasty, too. Both bugs were originally patched on September 17. But, as VMware owner Broadcom noted on Monday, the fixes "did not completely address" either CVE.
The first critical flaw, tracked as CVE-2024-38812, affects vCenter 7.0.3, 8.0.2, and 8.0.3, plus running any version of vSphere or VMware Cloud Foundation prior to the versions listed above.
It garnered a 9.8 out of 10 CVSS score — and for good reason. It doesn't require any user interaction to exploit, and a miscreant could abuse this vulnerability by sending a specially crafted network packet, which could allow remote code execution (RCE).
Meanwhile, the second vCenter bug (CVE-2024-38813) earned a 7.5 CVSS rating. Someone with network access could send a specially crafted packet and then escalate privileges to root.
There are no workarounds for either. "All customers are strongly encouraged to apply the patches currently listed in the Response Matrix," Broadcom noted in its security advisory.
- VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation
- Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability
- VMware by Broadcom warns of two critical vCenter flaws, plus a nasty sudo bug
- Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
Put together, these flaws are especially concerning as they could allow an attacker to remotely execute code on a buggy system after exploiting CVE-2024-38812, and then use CVE-2024-38813 to gain administrative privileges.
Plus, everyone from ransomware gangs to nation states loves to find holes in VMware systems because they are so widely used across organizations, giving attackers maximum bang for their buck.
Earlier this year, Mandiant warned that Chinese cyberspies had been abusing a different critical vCenter bug since late 2021.
According to a separate FAQ about both new vCenter holes, "Broadcom is not currently aware of exploitation 'in the wild.'" We'd suggest patching ASAP to keep it that way.
Both bugs were originally discovered by Zbl and srs of Team TZL at Tsinghua University during the Matrix Cup Cyber Security Competition, held in June in China. ®