Critical Remote Code Execution Vulnerability in VMware vCenter Server Patched by Broadcom

September 17, 2024

Broadcom has rectified a critical vulnerability in VMware vCenter Server, which could be exploited by attackers for remote code execution on servers that have not been patched, via a network packet. vCenter Server is the key management hub for VMware's vSphere suite, offering administrators the tools to manage and monitor virtualized infrastructure. The vulnerability, identified as CVE-2024-38812, was reported by TZL security researchers during China's 2024 Matrix Cup hacking contest. The vulnerability is the result of a heap overflow weakness in vCenter's DCE/RPC protocol implementation.

Products that incorporate vCenter, including VMware vSphere and VMware Cloud Foundation, are also affected by this vulnerability. Attackers who are not authenticated can exploit it remotely in low-complexity attacks that do not require user interaction "by sending a specially crafted network packet potentially leading to remote code execution." Security patches addressing this vulnerability are now available via the standard vCenter Server update mechanisms. The company advised, "To ensure full protection for yourself and your organization, install one of the update versions listed in the VMware Security Advisory."

Broadcom has stated that it has not found any evidence of the CVE-2023-34048 RCE bug currently being exploited in attacks. Administrators who are unable to apply the security updates immediately should strictly control network perimeter access to vSphere management components and interfaces, including storage and network components, as there is no official workaround for this vulnerability.

Additionally, the company has patched a high-severity privilege escalation vulnerability (CVE-2024-38813) that threat actors can use to gain root privileges on vulnerable servers via a specially crafted network packet. In June, it rectified a similar vCenter Server remote code execution vulnerability (CVE-2024-37079) that can be exploited via specially crafted packets.

In January, Broadcom revealed that a Chinese hacking group has been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021. The threat group, tracked as UNC3886 by security firm Mandiant, used it to breach vulnerable vCenter servers to deploy VirtualPita and VirtualPie backdoors on ESXi hosts via maliciously crafted vSphere Installation Bundles (VIBs).

Related News

• Critical Security Flaws in VMware vCenter Server Addressed: Immediate Patching Urged
• VMware Urges Removal of Deprecated, Vulnerable Authentication Plug-in
• CISA Adds VMware vCenter Server Bug to Known Exploited Vulnerabilities Catalogue
• Chinese Hackers Utilized VMware Vulnerability as Zero-Day for Two Years
• Critical vCenter Server Vulnerability Now Actively Exploited

Latest News

• Advanced Persistent Threat Group 'Void Banshee' Exploits Microsoft Zero-Day Vulnerabilities
• CISA Alerts on Windows Flaw Exploited by Void Banshee APT Group
• Urgent Call to Patch: Exploit Code for Critical Ivanti RCE Vulnerability Released
• Void Banshee APT Group Exploits Windows MSHTML Spoofing Vulnerability
• Critical Pipeline Execution Flaw Among 17 Vulnerabilities Patched by GitLab