Patch Issued for Crucial VMware vCenter Flaw Permitting Distant Code Execution

Sep 18, 2024Ravie LakshmananVirtualization / Community Safety

Broadcom on Tuesday launched updates to deal with a important safety flaw impacting VMware vCenter Server that might pave the best way for distant code execution.

The vulnerability, tracked as CVE-2024-38812 (CVSS rating: 9.8), has been described as a heap-overflow vulnerability within the DCE/RPC protocol.

“A malicious actor with community entry to vCenter Server might set off this vulnerability by sending a specifically crafted community packet probably resulting in distant code execution,” the virtualization companies supplier said in a bulletin.

The shortcoming is much like two different distant code execution flaws, CVE-2024-37079 and CVE-2024-37080 (CVSS scores: 9.8), that VMware resolved in vCenter Server in June 2024.

Additionally addressed by VMware is a privilege escalation flaw within the vCenter Server (CVE-2024-38813, CVSS rating: 7.5) that might allow a malicious actor with community entry to the occasion to escalate privileges to root by sending a specifically crafted community packet.

Safety researchers zbl and srs of group TZL have been credited with discovering and reporting the 2 flaws through the Matrix Cup cybersecurity competitors held in China again in June 2024. They’ve been mounted within the under variations –

• vCenter Server 8.0 (Fastened in 8.0 U3b)
• vCenter Server 7.0 (Fastened in 7.0 U3s)
• VMware Cloud Basis 5.x (Fastened in 8.0 U3b as an asynchronous patch)
• VMware Cloud Basis 4.x (Fastened in 7.0 U3s as an asynchronous patch)

Broadcom mentioned it is not conscious of malicious exploitation of the 2 vulnerabilities, however has urged clients to replace their installations to the most recent variations to safeguard in opposition to potential threats.

“These vulnerabilities are reminiscence administration and corruption points which can be utilized in opposition to VMware vCenter companies, probably permitting distant code execution,” the corporate said.

The event comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) and the Federal Bureau of Investigation (FBI) launched a joint advisory urging organizations to work in the direction of eliminating cross-site scripting (XSS) flaws that risk actors might exploit to breach techniques.

“Cross-site scripting vulnerabilities come up when producers fail to correctly validate, sanitize, or escape inputs,” the federal government our bodies said. “These failures enable risk actors to inject malicious scripts into net purposes, exploiting them to govern, steal, or misuse information throughout completely different contexts.”