On 21 October 2024, Broadcom released updated fixes for the critical Remote Code Execution (RCE) vulnerability CVE-2024-38812 in vCenter Server and Cloud Foundation, as the initial patch from September did not fully resolve the issue. This vulnerability is a heap-overflow flaw in the implementation of the DCERPC protocol that a remote attacker can use to send specially crafted network packets to vCenter Server, potentially leading to RCE.
CVE-2024-38812 was responsibly disclosed to VMware by security researchers. VMware has stated that they have not identified any active exploitation, and Arctic Wolf has not found a publicly available proof-of-concept exploit at this time. Vulnerabilities in VMware vCenter Server and Cloud Foundation have been exploited by threat actors in the past, as noted in CISA’s Known Exploited Vulnerabilities Catalog. With these products being widely used, threat actors may reverse-engineer the patches and develop exploits in the near future.
Recommendations
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| VMware vCenter | 8.0 | 8.0 U3d or 8.0 U2e |
| 7.0 | 7.0 U3t | |
| VMware Cloud Foundation | 5.x | Async patch to 8.0 U3d |
| 5.1.x | Async patch to 8.0 U2e | |
| 4.x | Async patch to 7.0 U3t |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
