Summary:
VMware has released a new security update for CVE-2024-38812, a critical remote code execution (RCE) vulnerability in VMware vCenter Server that wasn't fully addressed by the initial patch in September 2024. The flaw, with a CVSS score of 9.8, stems from a heap overflow issue in the DCE/RPC protocol, affecting vCenter Server and related products like vSphere and Cloud Foundation. It can be exploited without user interaction through specially crafted network packets.

Security Officer Comments:
Discovered by TZL researchers during the 2024 Matrix Cup in China, this vulnerability, along with CVE-2024-38813, a high-severity privilege escalation flaw, prompted VMware to issue new patches for vCenter 7.0.3, 8.0.2, and 8.0.3. VMware has confirmed that earlier patches released on September 17, 2024, did not fully resolve the issue, urging customers to apply the latest updates.

Suggested Corrections:
The new updates are available for vCenter Server 8.0 U3d, 8.0 U2e, and 7.0 U3t, while older versions like vSphere 6.5 and 6.7 will not receive updates. No workarounds exist, making it essential for impacted users to apply the patches immediately. Although VMware has not observed any active exploitation of these flaws, they recommend prompt action, as vCenter vulnerabilities are often targeted by threat actors for gaining unauthorized access.

Link(s):
https://www.bleepingcomputer.com/ne...d-patch-for-critical-vcenter-server-rce-flaw/