VMware patches serious flaws in vCenter Server
Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation.
The first flaw, CVE-2024-38812, is a heap overflow vulnerability in the Distributed Computing Environment/Remote Procedure Calls (DCERPC) system that could be exploited over the network to achieve remote code execution on unpatched systems. Corrupting the heap could allow an attacker to execute arbitrary code on the system. Broadcom rates it as a critical fix and it has a CVSS score of 9.8 out of 10.
The second one, CVE-2024-38813, is a privilege escalation flaw that ranks a CVSS score of 7.5 and one that VMware-owned Broadcom rates as important. Someone with network access to VMware’s vulnerable software could exploit this to gain root privileges on the system.
We can imagine a miscreant with network access using CVE-2024-38812 to gain code execution on a box, and then using CVE-2024-38813 to step up to administrative control. This scenario isn’t explicitly outlined in the advisory though Broadcom chose to pair the flaws together in its advisory today and FAQ.
Versions 7 and 8 of vCenter Server and versions 4 and 5 of VMware Cloud Foundation are at risk and Broadcom warns there is no practical workaround for these bugs. In other words, get patching.
The blunders are addressed in vCenter Server versions 8.0 U3b and 7.0 U3s, and Cloud Foundation with async patches to 8.0 U3b and 7.0 U3s.
The discovery of both flaws stemmed from the Matrix Cup Cyber Security Competition, held in June in China, which was organized by 360 Digital Security Group and Beijing Huayunan Information Technology Company. Over 1,000 teams competed to report holes in products for $2.75 million in prizes.
Zbl and srs of Team TZL at Tsinghua University were credited with discovering the bugs, which were disclosed to Broadcom to patch.
The team bagged the competition’s Best Vulnerability Award, along with a $59,360 payday, showing once again that bug bounties and competitive hacking really work. ®