Date of Disclosure: September 17, 2024
Date Reported as Actively Exploited (source): November 18, 2024
CVE-2024-38812 is a heap-overflow vulnerability in vCenter Server’s implementation of the DCERPC protocol, and CVE-2024-38813 is a privilege escalation vulnerability. Both of these exploits were published to NVD in September, but were confirmed to be actively exploited in the wild on November 18, 2024. It is therefore recommended that users apply the patches available from this advisory immediately.
VMware vCenter servers are typically accessible over the network to manage virtual environments. If not properly secured due to misconfigured firewalls or unrestricted network access, unauthorized users may be able to exploit these vulnerabilities.
The exposed instances in the Censys Perspective of this advisory may appear to indicate VMware vSphere Web Client devices, but it’s important to recognize that these devices likely include vCenter components as well. This distinction is important because vSphere represents the overall virtualization suite, whereas vCenter specifically refers to the centralized management system that controls virtual environments.
For example, assets accessible at https://<server-ip>/ui are tied to the vSphere Web Client, the primary interface for managing virtual machines, clusters, and resources. Meanwhile, assets accessible at https://<server-ip>:5480 pertain to the vCenter Server Appliance Management Interface (VAMI), which focuses on appliance configuration, updates, and health monitoring.
Identifying these endpoints in exposed asset inventories helps ensure proper risk assessment and mitigation, as vulnerabilities targeting vCenter (e.g., CVE-2024-38812 and CVE-2024-38813) can pose significant threats to virtual infrastructure when left unpatched or improperly secured.
| Field |
Details |
| CVE-ID |
CVE-2024-38812 – CVSS 9.8 (critical) – assigned by VMware |
CVE-2024-38813: CVSS 9.8 (critical) – assigned by NVD and 7.5 (high) – assigned by VMware |
| Vulnerability Description |
The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. |
The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet. |
| Date of Disclosure |
September 17, 2024 |
| Affected Assets |
VMware vCenter and VMware Cloud Foundation |
| Vulnerable Software Versions |
VMware vCenter:
- 7.0 ( before Update 3t )
- 8.0 ( before Update 3d )
VMware Cloud Foundation:
- 5.x ( before 8.0 Update 3d )
- 5.1.x ( before 8.0 Update 2e )
- 4.x ( before 7.0 Update 3t )
|
| PoC Available? |
A GitHub user claims to be in possession of a PoC but it has yet to be made public or proven to exploit either vulnerability. |
| Exploitation Status |
VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813. |
| Patch Status |
VMware by Broadcom has released fixed versions for all affected products. More details can be found in the response matrix in this security advisory. |
Censys Perspective
At the time of writing, Censys observed 4,420 exposed VMware vCenter Servers online. A large proportion of these (21%) are geolocated in the United States. Censys observed about 6% of the exposed instances to be associated with OVHcloud (ASN 16276), a cloud provider delivering hosted private cloud, public cloud, and dedicated server solutions. Note that not all of these are necessarily vulnerable, as specific versions are not available.
This Nuclei template can potentially be used to test known VMware vCenter Servers to confirm whether or not they are vulnerable to CVE-2024-38812. Nuclei is an open-source vulnerability scanning tool developed by ProjectDiscovery.
Map of Exposed VMware vCenter Servers:
Censys Search Query:
services.software: (vendor="VMware" and product="vCenter")
Censys ASM Query:
host.services.software.vendor="VMware" and host.services.software.product="vCenter"
References
