VMware failed to fully address vCenter Server RCE flaw CVE-2024-38812

Pierluigi Paganini October 22, 2024

VMware addressed a remote code execution flaw, demonstrated in a Chinese hacking contest, for the second time in two months.

VMware failed to fully address a remote code execution flaw, tracked as CVE-2024-38812 (CVSS score: 9.8), in its vCenter Server platform.

In September, Broadcom released security updates to the vulnerability CVE-2024-38812.

vCenter Server is a critical component in VMware virtualization and cloud computing software suite. It serves as a centralized and comprehensive management platform for VMware’s virtualized data centers.

The vulnerability is a heap-overflow vulnerability that resides in the implementation of the DCERPC protocol.

“A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.” reads the advisory.

During the 2024 Matrix Cup hacking contest in China, zbl & srs of team TZL demonstrated the vulnerability.

Now the company has updated its initial advisory confirming the September patches did not fully address the flaw.

“VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not completely address CVE-2024-38812.” reads the updated advisory. “The patches listed in the Response Matrix below are updated versions that contain additional fixes to fully address CVE-2024-38812.”

Chinese law requires researchers to disclose zero-day vulnerabilities to the government. Experts speculate that the Chinese government was aware of the flaw and may have exploited it as a zero-day.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, vCenter Server)



you might also like

leave a comment