About Remote Code Execution – VMware vCenter (CVE-2024-38812). The vulnerability was published on September 17. An attacker with network access to the vCenter Server can send a specially crafted network packet and cause an RCE. This is due to a heap overflow in the DCERPC protocol implementation.
The vulnerability was discovered during The Matrix Cup competition by a team from Tsinghua University. There is no write-up yet. There is only one repository on GitHub, where some no-name sells the exploit for $105 (upd. A confirmed scam). On AttackerKB, another no-name claims to have seen the vulnerability exploited in the wild. The reliability is questionable.
However, we remember a similar RCE vulnerability vCenter DCERPC CVE-2023-34048, which has been exploited in targeted attacks since 2021. Censys reported then about 293 vCenter hosts with DCERPC accessible from the Internet.
Chances are high that there will be a big story with this vulnerability too.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses | Alexander V. Leonov
Pingback: On Monday, October 21, updates for the critical Remote Code Execution – VMware vCenter (CVE-2024-38812) vulnerability were released again | Alexander V. Leonov
Pingback: I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies | Alexander V. Leonov