[SECURITY-L] VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)

CSIRT Unicamp security em unicamp.br
Quinta Setembro 19 13:36:05 -03 2024 

Product/Component

VMware Cloud Foundation
1 more products
Notification Id

24968
Last Updated

17 September 2024
Initial Publication Date

17 September 2024
Status

OPEN
Severity

CRITICAL
CVSS Base Score

7.5-9.8
WorkAround

Affected CVE

CVE-2024-38812, CVE-2024-38813


*Advisory ID:*  VMSA-2024-0019
*Severity:* Critical
*CVSSv3 Range:* 7.5-9.8
*Synopsis:* VMware vCenter Server updates address heap-overflow and
privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)
*Issue date:* 2024-09-17
*Updated on:* 2024-09-17 (Initial Advisory)
*CVE(s)* CVE-2024-38812, CVE-2024-38813


*1. Impacted Products*

   - VMware vCenter Server
   - VMware Cloud Foundation

*2. Introduction*

A heap-overflow vulnerability and a privilege escalation vulnerability in
vCenter Server were responsibly reported to VMware. Updates are available
to remediate these vulnerabilities in affected VMware products.
*3a**. VMware vCenter Server heap-overflow vulnerability (CVE-2024-38812*
*) *


*Description:*The vCenter Server contains a heap-overflow vulnerability in
the implementation of the DCERPC protocol. VMware has evaluated the
severity of this issue to be in the Critical severity range
<https://www.vmware.com/support/policies/security_response.html> with a
maximum CVSSv3 base score of 9.8
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>
.


*Known Attack Vectors:*A malicious actor with network access to vCenter
Server may trigger this vulnerability by sending a specially crafted
network packet potentially leading to remote code execution.


*Resolution:*To remediate CVE-2024-38812 apply the updates listed in the
'Fixed Version' column of the 'Response Matrix' below to affected
deployments.


*Workarounds:*In-product workarounds were investigated, but were determined
to not be viable.


*Additional Documentation:*A supplemental FAQ was created for additional
clarification. Please see: https://bit.ly/vcf-vmsa-2024-0019-qna


*Acknowledgments:*VMware would like to thank zbl & srs of team TZL working
with the 2024 Matrix Cup contest for reporting this issue to us.


*Notes:*None.
*3b. VMware vCenter privilege escalation vulnerability **(CVE-2024-38813) *


*Description:*The vCenter Server contains a privilege escalation
vulnerability. VMware has evaluated the severity of this issue to be
in the Important
severity range
<https://www.vmware.com/support/policies/security_response.html> with a
maximum CVSSv3 base score of 7.5
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
.


*Known Attack Vectors:*A malicious actor with network access to vCenter
Server may trigger this vulnerability to escalate privileges to root by
sending a specially crafted network packet.


*Resolution:*To remediate CVE-2024-38813 apply the updates listed in the
'Fixed Version' column of the 'Response Matrix' below to affected
deployments.


*Workarounds:*None.


*Additional Documentation:*A supplemental FAQ was created for additional
clarification. Please see: https://bit.ly/vcf-vmsa-2024-0019-qna


*Acknowledgments:*VMware would like to thank zbl & srs of team TZL working
with the 2024 Matrix Cup contest for reporting this issue to us.


*Notes:*None.


*Response Matrix:  3a & 3b*
*VMware Product* *Version* *Running On* *CVE* *CVSSv3* *Severity* *Fixed
Version* *Workarounds* *Additional Documentation*
vCenter Server  8.0 Any CVE-2024-38812, CVE-2024-38813 9.8
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>
, 7.5
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
Critical 8.0 U3b
<https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u3b-release-notes/index.html>
None FAQ <https://bit.ly/vcf-vmsa-2024-0019-qna>
vCenter Server   7.0 Any CVE-2024-38812, CVE-2024-38813 9.8
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>
, 7.5
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
Critical 7.0 U3s
<https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3s-release-notes/index.html>
None FAQ <https://bit.ly/vcf-vmsa-2024-0019-qna>
VMware Cloud Foundation 5.x Any CVE-2024-38812, CVE-2024-38813 9.8
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>
, 7.5
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
Critical Async patch to 8.0 U3b
<https://knowledge.broadcom.com/external/article?legacyId=88287> None Async
Patching Guide: KB88287
<https://knowledge.broadcom.com/external/article?legacyId=88287>
VMware Cloud Foundation 4.x Any CVE-2024-38812, CVE-2024-38813 9.8
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>
, 7.5
<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>
Critical Async patch to 7.0 U3s
<https://knowledge.broadcom.com/external/article?legacyId=88287> None Async
Patching Guide: KB88287
<https://knowledge.broadcom.com/external/article?legacyId=88287>


*4. References:*

*Fixed Version(s) and Release Notes:*


*VMware vCenter Server 8.0 U3b*Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5515
https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-vcenter-server-80u3b-release-notes/index.html


*VMware vCenter Server 7.0 U3s*Downloads and Documentation:
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5513
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3s-release-notes/index.html

*KB Articles:*
Cloud Foundation 5.x/4.x:
https://knowledge.broadcom.com/external/article?legacyId=88287


*Mitre CVE Dictionary Links:*
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38813

*FIRST CVSSv3 Calculator: *
CVE-2024-38812:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-38813:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
*5. Change Log:*


*2024-09-17 VMSA-2024-0019*Initial security advisory.
*6. Contact:*

E-mail: vmware.psirt em broadcom.com

PGP key
https://knowledge.broadcom.com/external/article/321551

VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories

VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response

VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle

VMware Security Blog
https://blogs.vmware.com/security

X
https://x.com/VMwareSRC

Copyright 2024 Broadcom All rights reserved.
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20240919/9f55023b/attachment-0001.html>

Mais detalhes sobre a lista de discussão SECURITY-L