Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Software

Virtualization

VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation

Bug reports made in China

Iain Thomson Tue 17 Sep 2024  //  20:50 UTC

Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation.

The first flaw, CVE-2024-38812, is a heap overflow vulnerability in the Distributed Computing Environment/Remote Procedure Calls (DCERPC) system that could be exploited over the network to achieve remote code execution on unpatched systems. Corrupting the heap could allow an attacker to execute arbitrary code on the system. Broadcom rates it as a critical fix and it has a CVSS score of 9.8 out of 10.

The second one, CVE-2024-38813, is a privilege escalation flaw that ranks a CVSS score of 7.5 and one that VMware-owned Broadcom rates as important. Someone with network access to VMware's vulnerable software could exploit this to gain root privileges on the system.

We can imagine a miscreant with network access using CVE-2024-38812 to gain code execution on a box, and then using CVE-2024-38813 to step up to administrative control. This scenario isn't explicitly outlined in the advisory though Broadcom chose to pair the flaws together in its advisory today and FAQ.

Versions 7 and 8 of vCenter Server and versions 4 and 5 of VMware Cloud Foundation are at risk and Broadcom warns there is no practical workaround for these bugs. In other words, get patching.

The blunders are addressed in vCenter Server versions 8.0 U3b and 7.0 U3s, and Cloud Foundation with async patches to 8.0 U3b and 7.0 U3s.

The discovery of both flaws stemmed from the Matrix Cup Cyber Security Competition, held in June in China, which was organized by 360 Digital Security Group and Beijing Huayunan Information Technology Company. Over 1,000 teams competed to report holes in products for $2.75 million in prizes.

Zbl and srs of Team TZL at Tsinghua University were credited with discovering the bugs, which were disclosed to Broadcom to patch.

The team bagged the competition's Best Vulnerability Award, along with a $59,360 payday, showing once again that bug bounties and competitive hacking really work. ®
Send us news
1 Comment

Ingram Micro to 'stop doing business' with Broadcom, downgrade to 'limited engagement' on VMware

Distributor couldn't do a deal that delivered 'appropriate shareholder return', chip giant says it 'continues to refine' its channel

Broadcom says VMware is a better money-making machine than it hoped

Chip side of the biz expects to take lion's share of hyperscalers' $60-90 billion XPU spend in 2027, helped by 3nm models coming next year

Broadcom loses another big VMware customer: UK fintech cloud Beeks Group, and most of its 20,000 VMs

A massively increased bill was one motive, but customers went cold on Virtzilla, and OpenNebula proved more efficient

A year after Broadcom took control of VMware, it's in the box seat

Customers are 'all miserable' but not yet deciding to bail - and AT&T appears to have settled its licensing dispute

Broadcom makes U-turn on plan to serve top 2,000 VMware customers itself

Now wants to work with 500 and lean more on partners to defend against migrations – which Dell says are on the cards

AWS bends to Broadcom's will with VMware Cloud Foundation as-a-service

Microsoft, Oracle, and IBM are all doing it. Andy Jassy's rent-a-server shop may have felt it was leaving money on the table

No, Broadcom did not just end VMware's flagship VCDX certification program

Sure, it sent an email and FAQ saying it had – but that was a mistake, you see

Apple reportedly building AI server processor with help from Broadcom

Something called 'Baltra' expected to make its debut in 2026, perhaps with tech both already use

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble

If you didn't fix this a month ago, your to-do list probably needs a reshuffle

Zabbix urges upgrades after critical SQL injection bug disclosure

US agencies blasted 'unforgivable' SQLi flaws earlier this year

Broadcom makes VMware Workstation and Fusion free for everyone

And yes, that does include commercial use in production