VMware has just rolled out critical security patches for its vCenter Server software to fix a severe remote code execution (RCE) vulnerability, identified as CVE-2024-38812, which has a CVSS score of 9.8. This vulnerability, caused by a heap overflow in the implementation of the DCE/RPC protocol, could allow an unauthenticated attacker with network access to execute arbitrary code on a vulnerable server by sending a specially crafted network packet. The potential impact of such an exploit includes unauthorized access, system disruption, and even data theft.
The vulnerability was initially discovered during China’s Matrix Cup cybersecurity competition and reported by security researchers from Team TZL. Although VMware issued patches in September 2024, it was later found that those patches were insufficient, necessitating further updates. The latest patches, released on October 22, 2024, apply to vCenter Server versions 8.0 U3d, 8.0 U2e, 7.0 U3t, and corresponding patches for VMware Cloud Foundation versions.
Fortunately, there are no reports yet of this flaw being exploited in the wild, but administrators are strongly advised to apply these updates immediately, as no effective workarounds exist. This vulnerability highlights the importance of maintaining up-to-date systems, especially for critical infrastructure management tools like VMware vCenter Server, which is widely used for managing virtualized environments.
In addition to CVE-2024-38812, VMware has also patched a privilege escalation vulnerability (CVE-2024-38813), making these updates even more crucial for enterprises.
For organizations looking to protect themselves, immediate patching is essential, and administrators should also evaluate additional security measures such as network perimeter defenses and segmented access to vCenter management interfaces to mitigate risks while updates are applied​