Critical VMware vCenter Server Flaws Under Active Attack: CISA Issues Urgent Warning
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two critical vulnerabilities in VMware vCenter Server that are currently being exploited in the wild. These flaws, identified as CVE-2024-38812 and CVE-2024-38813, pose a significant risk to organizations using VMware virtualization products, including vSphere and Cloud Foundation.
CVE-2024-38812 (CVSS 9.8), a remote code execution (RCE) vulnerability, allows attackers to gain complete control of affected systems. Discovered by TZL security researchers during China’s Matrix Cup hacking contest, this flaw stems from a heap overflow weakness in vCenter’s DCE/RPC protocol implementation. Exploiting this vulnerability could enable attackers to execute arbitrary code, potentially leading to data breaches, system disruption, and malware deployment.
The second vulnerability, CVE-2024-38813 (CVSS 7.5), is a privilege escalation flaw. By sending a specially crafted network packet, attackers can exploit this weakness to gain root privileges on the targeted vCenter Server. This level of access grants them unrestricted control over the entire virtualization environment, amplifying the potential damage significantly.
VMware, now part of Broadcom, confirmed the active exploitation of both vulnerabilities on November 18th. Although security updates were initially released in September, a subsequent advisory in October revealed that the original patch for CVE-2024-38812 was incomplete. This highlights the critical nature of these flaws and the urgency for immediate action.
CISA has added both vulnerabilities to its Catalog of Known Exploited Vulnerabilities (KEV) and mandated that all Federal Civilian Executive Branch (FCEB) agencies apply necessary mitigations by December 11th, 2024.
What you should do:
- Patch immediately: No workarounds are available. Apply the latest security updates from VMware without delay to effectively mitigate these vulnerabilities.
- Monitor systems: Increase vigilance and monitor your vCenter Server environment for any suspicious activity.
- Review security posture: This incident underscores the importance of a robust security posture. Regularly review and update your security practices, including vulnerability scanning and penetration testing.
