Skip to the content.

DIVD-2024-00048 - VMware vCenter Server heap-overflow and remote code execution vulnerabilities

Our reference DIVD-2024-00048
Case lead Oscar Vlugt
Researcher(s)
CVE(s)
Products
  • VMware vCenter
Versions
  • vCenter 7 Update 3 lower than version 7.0 U3t (24322018)
  • vCenter 8 Update 2 lower than version 8.0 U2e (24321653)
  • vCenter 8 Update 3 lower than version 8.0 U3d (24322831)
Recommendation Install the update as soon as possible
Patch status Available
Workaround None
Status Open
Last modified 27 Nov 2024 08:39 CET

Summary

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote execution. vCenter Server also contains a privilege escalation vulnerability which allows an malicious actor to escalate privileges to root by sending a specially crafted network packet.

Recommendations

To remediate CVE-2024-38812 and CVE-2024-38813 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below to affected deployments. You can find the ‘Response Matrix’ at the bottom of this post.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of vCenter Server and to notify these parties. We do this by looking at the version numbers if possible. Although our fingerprinting cannot confirm if instances are vulnerable to the initial attack vector, we want to issue a warning that a critical infrastructural component is exposed if it falls within the specified vulnerable versions.

Timeline

Date Description
22 Nov 2024 DIVD starts researching the vulnerability.
22 Nov 2024 DIVD finds fingerprint, preparing to scan.
26 Nov 2024 DIVD starts scanning the internet for vulnerable instances.
27 Nov 2024 DIVD starts notifying owners of potentially vulnerable instances.
gantt title DIVD-2024-00048 - VMware vCenter Server heap-overflow and remote code execution vulnerabilities dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00048 - VMware vCenter Server heap-overflow and remote code execution vulnerabilities (still open) :2024-11-22, 2024-12-10 section Events DIVD starts researching the vulnerability. : milestone, 2024-11-22, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-11-22, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-11-26, 0d DIVD starts notifying owners of potentially vulnerable instances. : milestone, 2024-11-27, 0d

More information