1. Impacted Products

• VMware vCenter Server
• VMware Cloud Foundation

2. Introduction

IMPORTANT: VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address CVE-2024-38812. All customers are strongly encouraged to apply the patches currently listed in the Response Matrix. Additionally, patches for 8.0 U2 line are also available.

A heap-overflow vulnerability and a privilege escalation vulnerability in vCenter Server were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. VMware vCenter Server heap-overflow vulnerability (CVE-2024-38812) 

Description:
The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors:
A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

Resolution:
To remediate CVE-2024-38812 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

Workarounds:
In-product workarounds were investigated, but were determined to not be viable.

Additional Documentation:
A supplemental FAQ was created for additional clarification. Please see: https://bit.ly/vcf-vmsa-2024-0019-qna

Acknowledgments:
VMware would like to thank zbl & srs of team TZL working with the 2024 Matrix Cup contest for reporting this issue to us.

Notes:
[1] VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not completely address CVE-2024-38812. The patches listed in the Response Matrix below are updated versions that contain additional fixes to fully address CVE-2024-38812. 

• VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812.

3b. VMware vCenter privilege escalation vulnerability (CVE-2024-38813) 

Description:
The vCenter Server contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors:
A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet.

Resolution:
To remediate CVE-2024-38813 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.

Workarounds:
None.

Additional Documentation:
A supplemental FAQ was created for additional clarification. Please see: https://bit.ly/vcf-vmsa-2024-0019-qna

Acknowledgments:
VMware would like to thank zbl & srs of team TZL working with the 2024 Matrix Cup contest for reporting this issue to us.

Notes:

• VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38813.

Response Matrix:  3a & 3b

4. References:

Fixed Version(s) and Release Notes:

VMware vCenter Server 8.0 U3d
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5574
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u3d-release-notes/index.html

VMware vCenter Server 8.0 U2e
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5531
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u2e-release-notes/index.html

VMware vCenter Server 7.0 U3t
Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5580
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3t-release-notes/index.html

KB Articles:
Cloud Foundation 5.x/4.x:
https://knowledge.broadcom.com/external/article?legacyId=88287

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38813

FIRST CVSSv3 Calculator: 
CVE-2024-38812: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-38813: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

5. Change Log:

2024-09-17 VMSA-2024-0019
Initial security advisory.

2024-09-20 VMSA-2024-0019.1
vCenter Server 8.0 U3b updates mentioned in the response matrix may introduce a functional issue. Please review KB377734 for more information.

2024-10-21 VMSA-2024-0019.2
Updated Response Matrix with latest vCenter patches released on 2024-10-21 that fully address CVE-2024-38812.

2024-11-18 VMSA-2024-0019.3
Updated advisory to note that VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813.

6. Contact:

E-mail: [email protected]

PGP key

https://knowledge.broadcom.com/external/article/321551

VMware Security Advisories

https://www.broadcom.com/support/vmware-security-advisories

VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response

VMware Lifecycle Support Phases

https://support.broadcom.com/group/ecx/productlifecycle

VMware Security Blog

https://blogs.vmware.com/security

X
https://x.com/VMwareSRC

Copyright 2024 Broadcom All rights reserved.