Exploitation of Critical Vulnerabilities in VMware vCenter Server and Cloud Foundation

Exploitation reported for critical vulnerabilities CVE-2024-38812 and CVE-2024-38813

Threat ID:: CC-4565
Threat Severity:: High
Published:: 19 November 2024 2:35 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Exploitation reported for critical vulnerabilities CVE-2024-38812 and CVE-2024-38813

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 8.0 U3d, all prior to 7.0 U3t

VMware vCenter Server

Versions: all prior to 8.0 U3d, all prior to 7.0 U3t

VMware Cloud Foundation

Threat details

Timeline of events

17-09-2024

VMSA-2024-0019
Broadcom released initial security advisory.
NHS England National CSOC published Cyber Alert CC-4551

20-09-2024

VMSA-2024-0019.1
Broadcom stated that vCenter Server 8.0 U3b updates may introduce a functional issue.

21-10-2024

VMSA-2024-0019.2
Broadcom determine that initial patches do not fully address CVE-2024-38812 and CVE-2024-38813 and issued new patches.
NHS England National CSOC published Cyber Alert CC-4565 to encourage organisations to apply revised patch.

18-11-2024

VMSA-2024-0019.3
Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813.
NHS England National CSOC updated cyber alert CC-4565 and raised the threat severity level from Medium to High.

Introduction

Broadcom released security updates in Sept 2024 to remediate against CVE-2024-38812 and CVE-2024-38813, vulnerabilities that if exploited could lead to remote code execution and privilege escalation.

These vulnerabilities were not fully remediated by the security updates, and Broadcom reissued the security updates in Oct 2024. The revised advisory included updated software packages to address security and functional issues reported after the original disclosure.

Broadcom has updated their advisory again to report that these vulnerabilities are now being exploited in the wild.

Vulnerability details

CVE-2024-38812 is a heap-overflow vulnerability in VMware vCenter Server with a CVSSv3 score of 9.8. An attacker with network access to vCenter Server could trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.
CVE-2024-38813 is a privilege escalation vulnerability in vCenter Server with a CVSSv3 score of 7.5. An attacker with network access to vCenter Server could exploit this vulnerability by sending a specially crafted network packet to escalate privileges to root.

Exploitation of CVE-2024-38812 and CVE-2024-38813

Broadcom has reported exploitation of CVE-2024-38812 and CVE-2024-38813 in the wild.

Remediation advice

Affected organisations must review Broadcom's VMware advisory VMSA-2024-0019 and VMSA-2024-0019: Questions & Answers and apply the relevant updates.

More information about applying async patches/individual product updates to VMware Cloud Foundation environments using Async Patch Tool (AP Tool) is available in Article ID: 344935.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2024-38812

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

Status Published

CVE-2024-38813

The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet.

Last edited: 19 November 2024 2:35 pm