VMware Heap Overflow Vulnerability

Executive Summary

On October 21, 2024, VMware released an updated security advisory revealing that a vulnerability previously disclosed in September 2024, was not completely addressed as initially believed.  The heap overflow vulnerability (CVE-2024-38812), allowed for threat actors with network access to targeted systems, to craft a custom network packet allowing them to conduct remote code execution attacks against affected systems.  While a patch was previously released last month, VMware has released another update aiming to fully address the scope of the vulnerability.  Users who are running any version of vCenter prior to the new update patch are encouraged to update their applications.

Background

VMware is a software company that provides services mainly relating to virtualization software, allowing for users to run virtual machines (VMs) with various types of operating systems and software tools on their host device [1].  Additionally, heap overflow attacks are a subcategory of buffer overflow attacks, and rely on the threat actor rerouting the buffer to be allocated to the heap portion of a system’s memory instead [2].  Heap memory is reserved for application execution and is sometimes referred to as “dynamic memory” since it is reactive to the specific program being launched.  Heap overflow attacks are known to be stealthy since the successful execution of this type of attack does not result in the immediate crash of the system or noticeable system errors [3].

The vulnerability relied on threat actors having network access and access to a system’s vCenter, which is a server management software offered by VMware, used to manage and control various virtualization environments [4]. CVE-2024-38812 was first discovered over the summer in June 2024, during a Chinese hacking competition, the 2024 Matrix Cup, which is known for “harvesting” zero-day vulnerabilities.  According to Chinese law, any zero-day vulnerabilities that are discovered are to be disclosed to only the Chinese Government and the product manufacturer [5].  The vulnerability was determined to have a base score of 9.8 and a ranking of critical, making it extremely important for users to update their applications to mitigate additional risk [6].

Exploitation

The vulnerability, CVE-2024-38812, is a heap overflow attack that runs during the execution of the DCERPC (Distributed Computing Environment / Remote Procedure Call) protocol within vCenter.  The vulnerability is dependent on the threat actor’s ability to have access to the target’s network and access to vCenter [5].  Once obtaining network access, the threat actor would then have to create a custom, malicious network packet, intended to be sent to the targeted system.  Once received by the target, the packet would create the possible ability to conduct attacks such as remote code execution on the system [7].

Significance and Impact

While the full extent of the vulnerability was not fully disclosed to the public, VMware is one of the largest virtualization software developers, with over 500,000 customers worldwide [8].  Additionally, since VMware allows for customers to run VMs on various devices across their networks, the number of machines that are potentially affected by the vulnerability could easily be in the millions; making this vulnerability critical to address in order to mitigate further exploitation.

Mitigation

VMware strongly encourages that all affected users should update their systems by navigating to the “Fixed Version” column found in the “Response Matrix” in order to mitigate additional risk [6].  To determine if a system is affected, users can reference VMware’s VMSA (VMware Security Advisory) Bulletin to help determine if their version of vSphere or VMware Cloud Foundation is unsupported.  In addition, any users of vCenter using version 7.0.3, 8.0.2, or 8.0.3, are encouraged to update their software as a new update patch has been released aiming to address the vulnerability [9].  It is also important for users to practice safe cybersecurity practices to minimize the possibility of future buffer-overflow attacks by following secure coding practices, adopting runtime protection services, input validation, vulnerability scanning, and applying regular security updates [10].

Conclusion

VMware’s Heap Overflow Vulnerability is another demonstration of the importance of practicing safe cybersecurity habits.  Users of third party applications should always determine if the adoption of an application and its inherited risk is acceptable to the organization and if the application will help meet the organization’s strategic objectives.  If the application is essential to an organization, then implementing safe practices and policies such as installing regular update patches, running vulnerability scans, and segmenting an organization’s network, are all good practices to follow.

References

[1] IBM. (2024, August 14). What is vmware? https://www.ibm.com/topics/vmware

[2] Myf5. (2023, February 21). K53293427: What is a Heap Overflow attack? https://my.f5.com/manage/s/article/K53293427

[3] Srivastava, A. (2022, December 31). Heap-based buffer overflow attacks: The stealthy threat to your system’s security. https://medium.com/@aviral23/heap-based-buffer-overflow-attacks-the-stealthy-threat-to-your-systems-security-423e36429865

[4] VMware. (n.d.). Server management software – vCenter. https://www.vmware.com/products/cloud-infrastructure/vcenter

[5] Naraine, R. (2024, October 21). VMware struggles to fix flaw exploited at Chinese hacking contest. https://www.securityweek.com/vmware-struggles-to-fix-flaw-exploited-at-chinese-hacking-contest/

[6] Broadcom. (2024, October 21). VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813). https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

[7] Naraine, R. (2024a, September 17). VMware patches remote code execution flaw found in Chinese hacking contest. SecurityWeek. https://www.securityweek.com/vmware-patches-remote-code-execution-flaw-found-in-chinese-hacking-contest/

[8] IBM. (2024, August 14). What is vmware? https://www.ibm.com/topics/vmware#:~:text=VMware%20grew%20to%20become%20the,share%20with%20over%20500%2C000%20customers

[9] VMware. (2024, October 21). VCF-security-and-compliance-guidelines/security-advisories/VMSA-2024-0019 at main · vmware/VCF-security-and-compliance-guidelines. https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2024-0019

[10] Indusface. (2024, June 12). Buffer overflow attack: Prevention and detection. https://www.indusface.com/learning/what-is-buffer-overflow-attack/