VMware issues second patch for CVE-2024-38812 vCenter Server flaw
Take action: If you are running VMware vCenter Server, make sure the vSphere management components are accessilble only from a trusted network and isolated from public access. This flaw is not new, and the second patch means that attackers are still finding ways around and actively attacking. Plan to patch ASAP.
Learn More
VMware is struggling to fully patch a critical vulnerability in its vCenter Server platform.
The vulnerability, tracked as CVE-2024-38812 (CVSS score of 9.8), involves a heap-overflow in the Distributed Computing Environment / Remote Procedure Call (DCERPC) protocol implementation. This flaw enables attackers with network access to execute arbitrary code on vulnerable vCenter Server instances.
The flaw was initially discovered during the 2024 Matrix Cup, a hacking contest held in China, and VMware attempted to address it with a patch released on September 17, 2024 VMware admitted that the patch did not fully mitigate the vulnerability. An updated advisory was issued on October 21, 2024, urging users to apply revised patches to protect their systems.
Affected Products
- VMware vCenter Server versions: 8.0 and 7.0 (before 8.0 U3d, 7.0 U3t)
- VMware Cloud Foundation versions: 5.x and 4.x
Alongside CVE-2024-38812, another vulnerability, CVE-2024-38813 (CVSS score 7.5), was identified, allowing privilege escalation to root. Both vulnerabilities can be triggered via specially crafted network packets.
- VMware released new patches to fully address both vulnerabilities. Users are strongly advised to update to the latest fixed versions as listed in VMware's Response Matrix.
- No viable workarounds are available.
