On Tuesday, Broadcom issued a security update to address a critical vulnerability affecting VMware vCenter Server, which could potentially lead to remote code execution (RCE). The vulnerability, identified as CVE-2024-38812 and assigned a CVSS score of 9.8, is classified as a heap-overflow flaw in the DCE/RPC protocol.

Heap-Overflow Vulnerability: CVE-2024-38812

The security flaw could allow a malicious actor with network access to VMware vCenter Server to exploit the system by sending a specially crafted network packet. This vulnerability could then lead to remote code execution, enabling attackers to gain control of the affected system remotely.

Broadcom, the parent company of VMware, emphasized the severity of this vulnerability in a bulletin, urging users to promptly apply the provided patches to prevent potential exploitation. The vulnerability is similar to two other critical RCE vulnerabilities, CVE-2024-37079 and CVE-2024-37080 (both also with a CVSS score of 9.8), which VMware addressed in June 2024.

Privilege Escalation Vulnerability: CVE-2024-38813

In addition to the heap-overflow vulnerability, VMware has also patched a privilege escalation flaw in vCenter Server, tracked as CVE-2024-38813 (CVSS score: 7.5). This flaw allows a malicious actor with network access to escalate privileges to the root user by sending a specially crafted packet, further compounding the risk of system compromise.

Both vulnerabilities were discovered by security researchers zbl and srs from team TZL, during the Matrix Cup cybersecurity competition held in China in June 2024. Their efforts in identifying these critical security flaws have been widely acknowledged by the security community.

Affected Versions and Patches

Broadcom has released patches to address these vulnerabilities in the following versions:

  • vCenter Server 8.0: Fixed in 8.0 U3b.
  • vCenter Server 7.0: Fixed in 7.0 U3s.
  • VMware Cloud Foundation 5.x: Fixed in 8.0 U3b through an asynchronous patch.
  • VMware Cloud Foundation 4.x: Fixed in 7.0 U3s through an asynchronous patch.

Customers using the affected versions are strongly urged to update to the latest releases to safeguard their systems from potential attacks. While Broadcom has not yet seen any evidence of malicious exploitation of these vulnerabilities, the company highlighted the importance of proactive updates to prevent any future threats.

“These vulnerabilities are memory management and corruption issues which can be used against VMware vCenter services, potentially allowing remote code execution,” the company said in its bulletin.

Broader Security Concerns: U.S. Government Advisory

The release of this security update comes at a time when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory highlighting the growing risk of cross-site scripting (XSS) vulnerabilities. According to the advisory, threat actors are increasingly exploiting XSS flaws to breach systems, manipulating data, and stealing information.

“Cross-site scripting vulnerabilities arise when manufacturers fail to properly validate, sanitize, or escape inputs,” the advisory noted. “These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts.”

This broader warning underscores the importance of addressing a wide range of security issues, including RCE vulnerabilities like those affecting VMware vCenter, to maintain the integrity of IT infrastructures.

Mitigating the Risk: Recommendations

Given the critical nature of these vulnerabilities, organizations that rely on VMware vCenter Server are strongly encouraged to take the following steps:

  1. Apply the Latest Security Updates: Ensure that vCenter Server and VMware Cloud Foundation installations are updated to the latest patched versions (8.0 U3b or 7.0 U3s) to mitigate the risk of exploitation.
  2. Review Security Configurations: Organizations should assess their existing security configurations to ensure that network access to vCenter Server is restricted to authorized users and devices only.
  3. Monitor for Suspicious Activity: Regularly monitor systems for signs of suspicious activity, especially in environments that handle sensitive data or manage critical infrastructure.
  4. Stay Informed on Cross-Site Scripting: Given the increased attention on XSS vulnerabilities, organizations should review their web applications for potential XSS flaws and take steps to properly sanitize and validate inputs.

Conclusion

With the release of these critical security patches, Broadcom and VMware have taken significant steps to safeguard vCenter Server users from potentially devastating attacks. Organizations are urged to act swiftly in applying the patches and reviewing their security protocols to mitigate these vulnerabilities and prevent unauthorized access. As cyber threats continue to evolve, the prompt application of updates and adherence to security best practices remain essential for protecting critical systems and sensitive data.

By addressing the identified vulnerabilities, both CVE-2024-38812 and CVE-2024-38813, and responding to the wider industry concerns raised by CISA and the FBI, organizations can ensure that their infrastructures remain secure in an increasingly hostile cybersecurity landscape.

DragonX Offensive Team

At DragonX Offensive Securities, we are dedicated to safeguarding businesses and organizations against the ever-evolving landscape of cyber threats. With a team of seasoned experts and cutting-edge technology, we provide comprehensive cybersecurity solutions tailored to the unique needs and challenges of our clients.

DISCLAIMER :

The information provided is for general informational purposes only and should not be construed as legal advice. While we strive for accuracy, Dragon X makes no warranties or representations about the completeness, reliability, or suitability of the information presented.