VMware fixes bad patch for critical vCenter Server RCE flaw

VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024.

The flaw is rated critical (CVSS v3.1 score: 9.8) and stems from a heap overflow weakness in vCenter's DCE/RPC protocol implementation, impacting the vCenter Server and any products incorporating it, such as vSphere and Cloud Foundation.

The flaw does not require user interaction for exploitation, as remote code execution is triggered when a specially crafted network packet is received.

The vulnerability was discovered and used by TZL security researchers during China's 2024 Matrix Cup hacking contest. The researchers also disclosed CVE-2024-38813, a high-severity privilege escalation flaw also impacting VMware vCenter.

In an update of its security advisory on these two vulnerabilities, VMware says that new patches had to be issued for vCenter 7.0.3, 8.0.2, and 8.0.3, as the previous fixes did not correctly fix the RCE flaw.

"VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address CVE-2024-38812," reads the updated security advisory.

"All customers are strongly encouraged to apply the patches currently listed in the Response Matrix."

The latest security updates are available on VMware vCenter Server 8.0 U3d, 8.0 U2e, and 7.0 U3t.

Older product versions past their end-of-support dates, such as the vSphere 6.5 and 6.7, are confirmed as impacted but will not receive security updates.

No workarounds are available for either flaw, so impacted users are recommended to apply the latest updates as soon as possible.

VMware notes it has not received any reports or observed exploitation of the said flaws in the wild as of yet.

For more information, check out this Q&A published as a companion to the bulletin to help clarify some points.

These new security updates should be applied as soon as possible, as threat actors commonly target VMware vCenter flaws to elevate privileges or gain access to virtual machines.

At the start of the year, Mandiant disclosed that Chinese state-sponsored hackers tracked as UNC3886 exploited CVE-2023-34048, a critical vulnerability in vCenter Server, as a zero-day to backdoor VMware ESXi virtual machines.