VMware Issues Updated Patch for vCenter Server to Address Critical RCE Flaw

VMware Issues Updated Patch for vCenter Server to Address Critical RCE Flaw

VMware has rolled out an update to fix a previously patched critical security vulnerability in vCenter Server that could allow attackers to execute remote code. The critical vulnerability, identified as CVE-2024-38812 and rated 9.8 on the CVSS scale, is a heap-overflow issue within the DCE/RPC protocol handling. According to VMware, now a subsidiary of Broadcom, “a malicious actor with network access to vCenter Server could exploit this flaw by sending a specially crafted network packet, potentially leading to remote code execution.”

The security flaw was first uncovered by researcher’s zbl and srs from team TZL during the Matrix Cup cybersecurity competition in China earlier this year. Despite a patch being issued on September 17, 2024, subsequent reviews indicated that the initial fix was incomplete.

VMware has now made patches available for the following vCenter Server versions:

• 8.0 U3d
• 8.0 U2e
• 7.0 U3t

Additionally, an asynchronous patch has been provided for VMware Cloud Foundation versions 5.x, 5.1.x, and 4.x. There are currently no known workarounds or mitigations for this vulnerability.

While there are no reports of the vulnerability being exploited in the wild, VMware advises users to install the latest patches to prevent any potential breaches. The release comes in the wake of a 2021 law in China mandating that vulnerabilities discovered within the country be immediately reported to the government and the relevant manufacturer, a move that has sparked international concerns about the potential for misuse in cyber warfare.