VMware vCenter: Patch ineffective, new update necessary

Broadcom has released updates for VMware vCenter Server that close a critical and a high-risk vulnerability. This is the second attempt to seal the vulnerabilities.

Broadcom had already published the security notice together with a software update in mid-September. Now the company has updated the announcement and writes: "VMware by Broadcom has determined that the September 17, 2024, vCenter patches do not fully patch the CVE-2024-38812 vulnerability. All customers are strongly encouraged to install the patches listed in the Response Matrix. In addition, patches are now available for the vCenter 8.0 U2 series."

VMware vCenter: Critical buffer overflow

The vulnerability with the CVE egg entry CVE-2024-38812 is a heap-based buffer overflow, which the developers classify as a critical risk with a CVSS score of 9.8. Attackers can trigger the error in the implementation of the DCERPC protocol by sending manipulated network packets to vulnerable machines, thereby infiltrating and executing malicious code.

The bug-fixed versions are now VMware vCenter 8.0 U3d, 8.0 U2e and 7.0 U3t and VMware Cloud Foundation 8.0 U3d, 8.0 U2e and 7.0 U3t. The versions are all higher than the previously available, apparently ineffective updates from September.

IT managers should download and install the updates as soon as possible. VMware systems are a popular target for cybercriminals. At the beginning of 2023, for example, there were large-scale waves of attacks on VMware ESXi systems. Thousands of ESXi servers were attacked at that time and attempts were made to place ransomware on them. The focus of the attacks was on France, the USA, Germany and Canada, warned the German Federal Office for Information Security.

(dmk)