DIVD-2024-00048 - VMware vCenter Server heap-overflow and remote code execution vulnerabilities
| Our reference | DIVD-2024-00048 |
| Case lead | Oscar Vlugt |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Install the update as soon as possible |
| Patch status | Available |
| Workaround | None |
| Status | Open |
| Last modified | 27 Nov 2024 08:39 CET |
Summary
The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote execution. vCenter Server also contains a privilege escalation vulnerability which allows an malicious actor to escalate privileges to root by sending a specially crafted network packet.
Recommendations
To remediate CVE-2024-38812 and CVE-2024-38813 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments. You can find the ‘Response Matrix’ at the bottom of this post.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of vCenter Server and to notify these parties. We do this by looking at the version numbers if possible. Although our fingerprinting cannot confirm if instances are vulnerable to the initial attack vector, we want to issue a warning that a critical infrastructural component is exposed if it falls within the specified vulnerable versions.
Timeline
| Date | Description |
|---|---|
| 22 Nov 2024 | DIVD starts researching the vulnerability. |
| 22 Nov 2024 | DIVD finds fingerprint, preparing to scan. |
| 26 Nov 2024 | DIVD starts scanning the internet for vulnerable instances. |
| 27 Nov 2024 | DIVD starts notifying owners of potentially vulnerable instances. |