Source URL: https://www.theregister.com/2024/09/17/vmware_vcenter_patch/
Source: The Register
Title: VMware patches over remote make-me-root holes in vCenter Server, Cloud Foundation
Feedly Summary: Bug reports made in China
Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation.…
AI Summary and Description: Yes
Summary: The text discusses vulnerabilities in VMware vCenter Server and Cloud Foundation, outlining two critical flaws rated high on the CVSS scale. The implications of these vulnerabilities highlight significant risks for organizations using affected versions, emphasizing the importance of prompt patching.
Detailed Description:
The vulnerabilities in VMware vCenter Server, as reported, pose a severe threat to organizations relying on these systems. Here are the key components of the text:
– **Vulnerabilities Identified**:
– **CVE-2024-38812**:
– **Type**: Heap overflow vulnerability in the DCERPC system.
– **Impact**: Allows remote code execution on unpatched systems, enabling attackers to execute arbitrary code.
– **Severity**: Rated critical with a CVSS score of 9.8/10.
– **CVE-2024-38813**:
– **Type**: Privilege escalation flaw.
– **Impact**: Network-accessible attackers could exploit this to gain root privileges on the system.
– **Severity**: Rated as important with a CVSS score of 7.5/10.
– **Attack Scenario**:
– An attacker can first exploit CVE-2024-38812 to achieve code execution and subsequently exploit CVE-2024-38813 for administrative control.
– **Affected Versions**:
– Versions 7 and 8 of vCenter Server.
– Versions 4 and 5 of VMware Cloud Foundation.
– **Recommendations**:
– Broadcom has indicated that there is no practical workaround for these vulnerabilities, stressing the need for immediate application of patches.
– Patching is addressed in vCenter Server versions 8.0 U3b and 7.0 U3s, along with corresponding patches for Cloud Foundation.
– **Discovery Context**:
– The flaws were disclosed as part of a cybersecurity competition (Matrix Cup Cyber Security Competition) held in June in China, where over 1,000 teams participated in identifying vulnerabilities, incentivized by prize money.
– The successful identification of these flaws by Team TZL from Tsinghua University underscores the effectiveness of competitive hacking and bug bounties in enhancing software security.
This situation highlights critical insights for professionals in security and compliance domains, especially in ensuring robust vulnerability management practices to mitigate risks associated with exploitable software flaws in enterprise environments.