VMware patching of identified vCenter RCE hits snag

Updates issued by VMware for its vCenter Server platform continue to not completely address a critical remote code execution vulnerability, tracked as CVE-2024-38812, which was initially identified and exploited at the Matrix Cup hacking competition in China in June, SecurityWeek reports.

Such a flaw — which is a heap overflow in the platform’s Distributed Computing Environment / Remote Procedure Call protocol — could be leveraged by threat actors with vCenter Server network access to facilitate code execution through a custom network packet, according to VMware, which did not provide additional information about the inadequate fix. However, VMware was able to remediate a high-severity privilege escalation issue in vCenter Server, tracked as CVE-2024-38813, with the recent update. “A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet,” said VMware.