• Posted by: Michael Johnson
• September 18, 2024

Broadcom Patches Critical VMware vCenter Flaw Allowing Remote Code Execution

Broadcom has released critical updates to fix a significant vulnerability in VMware vCenter Server that could allow remote code execution. The vulnerability, tracked as CVE-2024-38812 with a CVSS score of 9.8, is classified as a heap-overflow flaw in the DCE/RPC protocol. The issue allows malicious actors with network access to exploit the vulnerability by sending specially crafted packets, leading to potential remote code execution.

In its security bulletin, Broadcom emphasized that this vulnerability is similar to two previous critical flaws, CVE-2024-37079 and CVE-2024-37080, also remote code execution vulnerabilities with the same CVSS score of 9.8, which VMware addressed in June 2024.

Additionally, Broadcom has patched a privilege escalation flaw in vCenter Server, tracked as CVE-2024-38813 (CVSS score: 7.5). This flaw could allow an attacker with network access to escalate privileges to root by sending a specially crafted packet to the vCenter instance.

The discovery of these vulnerabilities is credited to security researchers zbl and srs from team TZL, who uncovered the flaws during the Matrix Cup cybersecurity competition in China in June 2024. Broadcom has applied fixes for these vulnerabilities in the following versions:

• vCenter Server 8.0 (Fixed in 8.0 U3b)
• vCenter Server 7.0 (Fixed in 7.0 U3s)
• VMware Cloud Foundation 5.x (Fixed in 8.0 U3b as an asynchronous patch)
• VMware Cloud Foundation 4.x (Fixed in 7.0 U3s as an asynchronous patch)

Though Broadcom has not detected any malicious exploitation of these vulnerabilities, the company strongly recommends that users update their VMware vCenter Server installations immediately to avoid potential threats.

The patch release coincides with a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), warning organizations about cross-site scripting (XSS) vulnerabilities. These flaws, if left unpatched, could be exploited by threat actors to compromise systems.

CISA and the FBI noted that XSS vulnerabilities arise from poor input validation and sanitization practices, enabling attackers to inject malicious scripts into web applications. Organizations are urged to follow best practices to secure their web applications and eliminate XSS risks.