Article Details
Scrape Timestamp (UTC): 2024-10-22 17:04:23.559
Source: https://www.theregister.com/2024/10/22/vmware_rce_vcenter_bugs/
Original Article Text
Click to Toggle View
VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time. If the first patches don't work, try, try again. VMware has pushed a second patch for a critical, heap-overflow bug in the vCenter Server that could allow a remote attacker to fully compromise vulnerable systems after the first software update, issued last month, didn't work. Plus, in the same security update, VMware fixed (again) a make-me-root flaw in vCenter that's pretty nasty, too. Both bugs were originally patched on September 17. But, as VMware owner Broadcom noted on Monday, the fixes "did not completely address" either CVE. The first critical flaw, tracked as CVE-2024-38812, affects vCenter 7.0.3, 8.0.2, and 8.0.3, plus running any version of vSphere or VMware Cloud Foundation prior to the versions listed above. It garnered a 9.8 out of 10 CVSS score — and for good reason. It doesn't require any user interaction to exploit, and a miscreant could abuse this vulnerability by sending a specially crafted network packet, which could allow remote code execution (RCE). Meanwhile, the second vCenter bug (CVE-2024-38813) earned a 7.5 CVSS rating. Someone with network access could send a specially crafted packet and then escalate privileges to root. There are no workarounds for either. "All customers are strongly encouraged to apply the patches currently listed in the Response Matrix," Broadcom noted in its security advisory. Put together, these flaws are especially concerning as they could allow an attacker to remotely execute code on a buggy system after exploiting CVE-2024-38812, and then use CVE-2024-38813 to gain administrative privileges. Plus, everyone from ransomware gangs to nation states loves to find holes in VMware systems because they are so widely used across organizations, giving attackers maximum bang for their buck. Earlier this year, Mandiant warned that Chinese cyberspies had been abusing a different critical vCenter bug since late 2021. According to a separate FAQ about both new vCenter holes, "Broadcom is not currently aware of exploitation 'in the wild.'" We'd suggest patching ASAP to keep it that way. Both bugs were originally discovered by Zbl and srs of Team TZL at Tsinghua University during the Matrix Cup Cyber Security Competition, held in June in China.
Daily Brief Summary
VMware has released secondary patches for two critical vulnerabilities in vCenter after initial fixes were insufficient.
The first vulnerability, with a CVSS score of 9.8, allows remote code execution through specially crafted network packets without user interaction.
The second flaw, scoring 7.5 on CVSS, could let an attacker escalate privileges to root by exploiting network access vulnerabilities.
Both CVEs—CVE-2024-38812 and CVE-2024-38813—were initially patched on September 17 but required additional fixes as the original patches did not fully resolve the issues.
VMware's user base, including major organizations, makes it a high-value target for various attackers, from ransomware gangs to nation-state actors.
Earlier breaches in VMware systems by Chinese cyberspies have been reported, exploiting different vulnerabilities since late 2021.
These vulnerabilities were discovered by researchers Zbl and srs from Team TZL at Tsinghua University during a cyber security competition.
VMware and Broadcom strongly advise customers to apply the latest patches immediately to prevent potential exploitation.