VMware has issued a new patch for CVE-2024-38812, a critical remote code execution (RCE) vulnerability affecting VMware vCenter Server. The flaw, which stems from a boundary error within the implementation of vCenter's DCE/RPC protocol, was not fully resolved in the first patch released in September 2024, leading VMware to release additional fixes in October.
“VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address CVE-2024-38812. All customers are strongly encouraged to apply the patches currently listed in the Response Matrix. Additionally, patches for 8.0 U2 line are also available,” the company wrote in an updated security advisory.
The vulnerability allows remote code execution without user interaction. Attackers can exploit the flaw by sending a specially crafted network packet to a vulnerable system, potentially compromising any product incorporating vCenter Server, including VMware vSphere and Cloud Foundation.
Discovered by TZL security researchers during China's 2024 Matrix Cup hacking contest, the CVE-2024-38812 flaw also accompanies another high-severity issue, CVE-2024-38813, which is a privilege escalation vulnerability in VMware vCenter.
There is no workaround for the flaw. All users are strongly advised to apply the latest updates to ensure full protection.
In other news, the US Cybersecurity and Infrastructure Security Agency (CISA) has recently added CVE-2024-9537, a critical security vulnerability recently discovered in the ScienceLogic SL1 Portal (formerly EM7) CVE-2024-9537, to its Known Exploited Vulnerabilities (KEV) Catalog, indicating its exploitation in the wild. Additionally, CISA has flagged as actively exploited a Microsoft SharePoint Deserialization Vulnerability (CVE-2024-38094), which allows remote code execution.