On Tuesday, September 17, Broadcom released a security update that fixes a critical remote code execution flaw in VMWare vCenter Server software. Disclosed upon the patch release, this flaw has got a significant CVSS score of 9.8, reflective of how severe the exploitation consequences can be. The company offers no mitigation ways, just installing the latest security update.
VMWare vCenter Server RCE Vulnerability Disclosed
Under the course of the last update for the vCenter Server, Broadcom, a parent company of VMWare released a fix for two vulnerabilities in this software. A more severe of two – CVE-2024-38812 – is a remote code execution flaw present in the local implementation of a remote procedure call (RPC) protocol. More specifically, the vulnerability falls under the CWE-122 specification, which stands for heap overflow.
By sending a specially crafted network packet, adversaries can overflow the memory of the program. This, in turn, forces it to execute code that they need. Such a flaw can circumvent both security policies of the program and, in quite a few cases, stand-alone security solutions. Considering that vCenter Server is a well-known and trusted software piece, security vendors do not check it too thoroughly. Also, there is another software solution from VMWare that has this flaw – their Cloud Foundation suite.
Vulnerability in a virtualization software like vCenter can hit pretty badly, especially when these virtualized environments are connected directly to the rest of the enterprise network. And even when everything is set up correctly, a spyware or a backdoor can create quite a mess in the infected virtual machine. What is worse, however, is the possibility of lateral movement and deployment of other malicious programs with the same exact malware. Sooner or later, attackers will find the way to “mainland” network, shall the vulnerability remain unpatched.
Another Flaw of vCenter Server
RCE heap overflow vulnerability is not the only weakness that Broadcom has fixed in this update. Another, slightly less severe flaw, coded CVE-2024-38813, allows attackers to escalate privileges to root level. Same as in the previous flaw, all they need for execution is a specially configured network package, sent to the vCenter environment. This makes up for its high CVSS score – 7.5, while other properties of the flaw are less severe otherwise.
As the virtualized environment has little to no connection to actual hardware, root-level privileges won’t give any more access than what the VM settings allow. So unlike with the RCE flaw, adversaries will not be able to use this vulnerability for initial access or lateral movement. At the same time, it may be pretty useful as an auxiliary tool: high privileges are always usable in any attack scenarios.
Mitigation and Patches
As I’ve mentioned in the introduction, Broadcom does not offer any other fix for the vulnerability other than installing the update. That is unfortunate, as updating all the virtualized infrastructure may turn out to be a rather tedious task. But the deep nature of both vulnerabilities supposes that there’s not much one can do by themselves, except for closing the environment from external network connections.
List of vulnerable and fixed software versions
| Software | Versions vulnerable | Fixed in |
|---|---|---|
| vCenter Server | all 8.0 and 7.0 | 8.0 U3b 7.0 U3s |
| VMware Cloud Foundation | all 4.x and 5.x | Async patch to 8.0 U3b/7.0 U3s |
