Broadcam has fixed two VMware vCenter Server bugs that allow remote code execution or privilege escalation - both of which were found during a Chinese competition dedicated to discovering zero day vulnerabilities.
The first, CVE-2024-38812, has a critical 9.8 rating and is a heap-overflow vulnerability in the implementation of the DCERPC (Distributed Computing Environment/ Remote Procedure Calls) protocol. A threat actor with network access to vCenter Server could trigger this bug by sending a specially crafted network packet, potentially enabling them to carry out remote code execution.
A second bug (CVE-2024-38813) lets attackers with network access to vCenter Server to escalate privileges to root by sending a specially crafted network packet.
Broadcom is " not currently aware" of exploitation in the wild.
vCenter Server is an "advanced server management software that provides a centralized platform for controlling your VMware vSphere environments" – letting admins manage ESX and ESXi servers and VMs.
Both Versions 7 and 8 of vCenter Server and versions 4 and 5 of VMware Cloud Foundation are vulnerable to the bug. Broadcom has warned there is no workaround, which means it's time to get patching.
"A heap-overflow vulnerability and a privilege escalation vulnerability in vCenter Server were responsibly reported to VMware," Broadcom wrote in a security advisory. "Updates are available to remediate these vulnerabilities in affected VMware products."
Two members of a team called TZL from Tsinghua University were specifically credited as having identified the bugs. The vulns were discovered during a competition called The Matrix Cup, which pays bounties from a prize pool of $2.5 million.
However, any zero days discovered in China must be handed to the ruling Communist part government, thanks to a rule introduced in 2021 which said: "No one may ‘collect, sell or publish information on network product security vulnerabilities'."
"VMware would like to thank zbl & srs of team TZL working with the 2024 Matrix Cup contest for reporting this issue to us," Broadcom wrote.
READ MORE: Broadcom CEO: VMware still ringing the cash registers; firm dismisses $4.5B IP move speculation
A write up of this year's Matrix Cup said that TZL "discovered a vulnerability in a virtualization management platform with the leading global market share", according to Google Translate.
"This crack is of great value in improving the security of cloud infrastructure," the report continued. "The TZL team won the best vulnerability award for this move."
Earlier this year, threat researchers at Mandiant announced that a Chinese threat group had exploited a critical vCenter Server vulnerability for two years without being detected.
The CVSS 9.8 vulnerability, allocated CVE-2023-34048 and affecting almost all versions of vCenter Server, was patched by VMware in October 2023.
In a January 19 blog post, Mandiant said UNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as late 2021.
"UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected,” the company warned.