VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation

Broadcom released patches for two vulnerabilities in VMware vCenter Server and VMware Cloud Foundation: CVE-2024-38812, a network-exploitable DCERPC heap overflow that can lead to remote code execution (CVSS 9.8), and CVE-2024-38813, a privilege-escalation bug that can yield root (CVSS 7.5). Affected vCenter Server versions 7 and 8 and Cloud Foundation versions 4 and 5 are fixed in vCenter 8.0 U3b and 7.0 U3s (and corresponding Cloud Foundation async patches); Broadcom warns there is no practical workaround and urges patching. The flaws were reported by Team TZL at the Matrix Cup competition.