Article Details
Scrape Timestamp (UTC): 2024-09-17 20:23:12.952
Original Article Text
Click to Toggle View
Broadcom fixes critical RCE bug in VMware vCenter Server. Broadcom has fixed a critical VMware vCenter Server vulnerability that attackers can exploit to gain remote code execution on unpatched servers via a network packet. vCenter Server is the central management hub for VMware's vSphere suite, helping administrators manage and monitor virtualized infrastructure. The vulnerability (CVE-2024-38812), reported by TZL security researchers during China's 2024 Matrix Cup hacking contest, is caused by a heap overflow weakness in vCenter's DCE/RPC protocol implementation. It also affects products containing vCenter, including VMware vSphere and VMware Cloud Foundation. Unauthenticated attackers can exploit it remotely in low-complexity attacks that don't require user interaction "by sending a specially crafted network packet potentially leading to remote code execution." Security patches addressing this vulnerability are now accessible through the standard vCenter Server update mechanisms. "To ensure full protection for yourself and your organization, install one of the update versions listed in the VMware Security Advisory," the company said. "While other mitigations may be available depending on your organization's security posture, defense-in-depth strategies, and firewall configurations, each organization must evaluate the adequacy of these protections independently." Not exploited in attacks Broadcom says it has not found evidence that the CVE-2023-34048 RCE bug is currently exploited in attacks. Admins who are unable to immediately apply today's security updates should strictly control network perimeter access to vSphere management components and interfaces, including storage and network components, as an official workaround for this vulnerability is unavailable. Today, the company also patched a high-severity privilege escalation vulnerability (CVE-2024-38813) that threat actors can leverage to gain root privileges on vulnerable servers via a specially crafted network packet. In June, it fixed a similar vCenter Server remote code execution vulnerability (CVE-2024-37079) that can be exploited via specially crafted packets. In January, Broadcom disclosed that a Chinese hacking group has been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021. The threat group (tracked as UNC3886 by security firm Mandiant) used it to breach vulnerable vCenter servers to deploy VirtualPita and VirtualPie backdoors on ESXi hosts via maliciously crafted vSphere Installation Bundles (VIBs).
Daily Brief Summary
Broadcom has issued a fix for a critical vulnerability in VMware vCenter Server, identified as CVE-2024-38812, allowing attackers remote code execution capabilities.
The security loophole, originating from a heap overflow issue within the DCE/RPC protocol, was exposed during the 2024 Matrix Cup in China by TZL security researchers.
The vulnerability impacts not only VMware vCenter but also extends to VMware vSphere and VMware Cloud Foundation, exposing multiple products to potential threats.
Attackers can exploit the flaw remotely without authentication by sending a specially crafted network packet to the targeted server.
VMware has released security patches accessible via vCenter Server's standard update mechanisms, urging immediate application to block potential exploits.
Additional mitigations may be required depending on an organization’s specific security posture and infrastructure configurations.
Broadcom has also patched another high-severity privilege escalation issue (CVE-2024-38813) that could be exploited in a similar manner.
Furthermore, in earlier instances, Broadcom corrected similar vulnerabilities and reported active exploitations attributed to a Chinese hacking group using such weaknesses since 2021.