VMware has released software updates to address an already-patched security flaw in vCenter Server that could open the way for remote code execution.
Vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), concerns a heap overflow vulnerability in a DCE/RPC protocol implementation.
“An attacker with network access to vCenter Server could cause this vulnerability by sending a specially crafted network packet that could potentially lead to remote code execution,” the Broadcom-owned virtualization services provider. said.
The flaw was originally reported by zbl and srs of the TZL team at the Matrix Cup cybersecurity competition held in China earlier this year.
“VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address CVE-2024-38812,” the company said.
Patches for the flaw are available in the following vCenter Server versions −
- 8.0 U3d
- 8.0 U2e and
- 7.0 U3t
It is also available as an asynchronous patch for VMware Cloud Foundation versions 5.x, 5.1.x, and 4.x. No known mitigations.
While there is no evidence that the vulnerability has ever been exploited in the wild, users are advised to update to the latest versions to guard against potential threats.
In July 2021, China passed the law which requires immediate notification to the government and product manufacturer of vulnerabilities discovered by in-country researchers, raising concerns that it could help nation-state adversaries stockpile zero-days and use them as weapons for their own benefit.
