Broadcom fixes critical RCE bug in VMware vCenter Server
Broadcom has fixed a critical VMware vCenter Server vulnerability that attackers can exploit to gain remote code execution on unpatched servers via a network packet.
vCenter Server is the central management hub for VMware‘s vSphere suite, helping administrators manage and monitor virtualized infrastructure.
The vulnerability (CVE-2024-38812), reported by TZL security researchers during China’s 2024 Matrix Cup hacking contest, is caused by a heap overflow weakness in vCenter’s DCE/RPC protocol implementation. It also affects products containing vCenter, including VMware vSphere and VMware Cloud Foundation.
Unauthenticated attackers can exploit it remotely in low-complexity attacks that don’t require user interaction “by sending a specially crafted network packet potentially leading to remote code execution.”
Security patches addressing this vulnerability are now accessible through the standard vCenter Server update mechanisms.
“To ensure full protection for yourself and your organization, install one of the update versions listed in the VMware Security Advisory,” the company said.
“While other mitigations may be available depending on your organization’s security posture, defense-in-depth strategies, and firewall configurations, each organization must evaluate the adequacy of these protections independently.”
Not exploited in attacks
Broadcom says it has not found evidence that the CVE-2023-34048 RCE bug is currently exploited in attacks.
Admins who are unable to immediately apply today’s security updates should strictly control network perimeter access to vSphere management components and interfaces, including storage and network components, as an official workaround for this vulnerability is unavailable.
Today, the company also patched a high-severity privilege escalation vulnerability (CVE-2024-38813) that threat actors can leverage to gain root privileges on vulnerable servers via a specially crafted network packet.
In June, it fixed a similar vCenter Server remote code execution vulnerability (CVE-2024-37079) that can be exploited via specially crafted packets.
In January, Broadcom disclosed that a Chinese hacking group has been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021.
The threat group (tracked as UNC3886 by security firm Mandiant) used it to breach vulnerable vCenter servers to deploy VirtualPita and VirtualPie backdoors on ESXi hosts via maliciously crafted vSphere Installation Bundles (VIBs).