VMWare has released another patch for a critical bug tracked as CVE-2024-38812 that was first discovered by Chinese hackers, admitting that a fix released more than a month ago "did not fully address" the vulnerability.
On September 17, 2024, the cloud and virtualisation firm released patches for two security vulnerabilities that were found and (allegedly) resolved in VMware vCenter.
Now it has confessed that "security and functional issues [were] reported after the original disclosure" as it released new fixes and urged all customers to deploy them immediately. The revelation raises the question of whether customers were left vulnerable for weeks after applying a "patch" they thought would protect them.
"You are affected if you are running any version of vSphere or VMware Cloud Foundation," VMWare wrote. "If you have a question about whether you are affected it is likely that you are, and should take action immediately."
Both the vulnerabilities are memory management and corruption issues that can be used against VMware vCenter services.
CVE-2024-38812 has a critical 9.8 rating and is a heap overflow vulnerability in the implementation of the DCERPC (Distributed Computing Environment/ Remote Procedure Calls) protocol. A threat actor with network access to vCenter Server could trigger this bug by sending a specially crafted network packet, potentially enabling them to carry out remote code execution.
A second bug (CVE-2024-38813) has a CVSSv37.5.lets attackers with network access to vCenter Server escalate privileges to root by sending a specially crafted network packet.
When it first released patches for the bugs, Broadcom said it was "not currently aware" of exploitation in the wild.
READ MORE: Broadcom CEO: VMware still ringing the cash registers; firm dismisses $4.5B IP move speculation
"VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not fully address CVE-2024-38812," the firm wrote in its latest security advisory.
"All customers are strongly encouraged to apply the patches currently listed in the Response Matrix."
Security updates are now available for VMware vCenter Server 8.0 U3d, 8.0 U2e, and 7.0 U3t.
Older product versions that are out of their support window, including vSphere 6.5 and 6.7, are impacted by the bugs but will not receive security updates.
Two members of a team called TZL from Tsinghua University, China, were specifically credited for identifying the bugs during a competition called The Matrix Cup, which pays bounties from a prize pool of $2.5 million.
"VMware would like to thank zbl & srs of team TZL working with the 2024 Matrix Cup contest for reporting this issue to us," Broadcom wrote.
A write up of this year's Matrix Cup said that TZL "discovered a vulnerability in a virtualization management platform with the leading global market share", according to Google Translate.
"This crack is of great value in improving the security of cloud infrastructure," the report continued. "The TZL team won the best vulnerability award for this move."
