Two critical VMware vCenter vulnerabilities, CVE-2024-38812 and CVE-2024-38813, are actively being exploited after Broadcom’s initial patch efforts fell short. These flaws, impacting a vital tool for managing virtual machine fleets, have become prime targets for cybercriminals, ranging from ransomware gangs to nation-state actors. Here’s what you need to know and how to respond effectively.

What Happened?

1. Initial Patching and Oversight:
   Broadcom first released patches on September 17, 2024, to address the two vCenter flaws. However, these patches failed to fully remediate the vulnerabilities, prompting a second update in October. At the time, Broadcom assured customers that no active exploitation had been observed.
2. Exploitation Confirmed:
   On November 18, 2024, Broadcom issued an alert confirming that both vulnerabilities had been exploited “in the wild.” The attackers are now leveraging these flaws to target organizations that have yet to apply the latest patches.
3. Criticality of the Vulnerabilities:
   • CVE-2024-38812: A critical heap-overflow vulnerability in the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol. With a CVSS score of 9.8, it allows attackers with network access to execute arbitrary code remotely by sending crafted packets.
   • CVE-2024-38813: A high-severity privilege escalation vulnerability with a CVSS score of 7.5. It enables attackers to escalate privileges to root, assuming they already have network access to a vCenter server.
4. Targets at Risk:
   • Versions Affected: vCenter Server 7 and 8, VMware Cloud Foundation 4 and 5.
   • The vulnerabilities put entire fleets of virtual machines at risk, making vCenter an attractive target for attackers aiming for maximum impact.

Why Is This Significant?

vCenter servers are critical to managing thousands of virtual machines in enterprise environments. Exploiting these vulnerabilities could grant attackers full control of virtual environments, enabling data theft, ransomware deployment, or other malicious actions. Past incidents have shown that VMware vulnerabilities are favored by both ransomware gangs and nation-state actors, emphasizing the urgency of addressing these flaws.

How to Fix It

1. Apply the Latest Patches Immediately:
   • Ensure that Broadcom’s October update is applied to all affected vCenter Server and VMware Cloud Foundation installations. Confirm patch status through thorough audits.
2. Limit Network Exposure:
   • Restrict vCenter access to trusted IPs using firewalls and network segmentation.
   • Ensure vCenter is not directly exposed to the internet.
3. Monitor for Signs of Exploitation:
   • Deploy intrusion detection systems (IDS) to monitor traffic for abnormal activity targeting vCenter.
   • Review logs for suspicious access attempts or crafted DCERPC packets.
4. Implement Strong Access Controls:
   • Enforce multi-factor authentication (MFA) for administrative access to vCenter.
   • Regularly audit user permissions to prevent privilege escalation opportunities.
5. Develop an Incident Response Plan:
   • Ensure your organization is prepared to respond to breaches, including isolating affected systems and recovering from backups.

Lessons Learned

This incident underscores the importance of testing and verifying patches before release. Organizations should maintain robust patch management practices, ensuring updates are applied promptly and thoroughly validated. Additionally, reducing attack surfaces and enhancing monitoring capabilities are essential for mitigating risks from delayed or incomplete patches.

Conclusion

The exploitation of CVE-2024-38812 and CVE-2024-38813 is a critical reminder of the need for vigilance in securing enterprise infrastructure. Organizations must act swiftly to patch affected systems, limit exposure, and enhance monitoring. As VMware vulnerabilities continue to be a favorite target for cybercriminals, proactive security measures are paramount to safeguarding virtualized environments.

Overview of Microsoft’s Windows 11 and Copilot+ Updates

Microsoft continues to evolve its Windows 11 platform, introducing new and innovative features aimed at enhancing productivity and user experience. One of the most notable updates includes the integration of Copilot+, a powerful AI-driven assistant designed to streamline daily tasks, enhance user workflows, and leverage machine learning for more intuitive user interactions.

However, with the latest updates, including the feature called “Recall,” users should be aware of the potential implications for data privacy and security.

What is the “Recall” Feature?

The “Recall” feature embedded within Windows 11’s Copilot+ represents a significant advancement in personal digital assistance. This feature allows Windows to capture and store a comprehensive record of user interactions. By maintaining a detailed history of activities such as browsing, messaging, and application use, “Recall” supports the following functionalities:

• Automatic retrieval of documents and files previously accessed
• Contextual suggestions based on prior usage
• Enhanced AI-driven recommendations for productivity

While these capabilities can be beneficial, the “Recall” feature raises significant concerns regarding the storage and handling of sensitive information.

Potential Risks Associated with “Recall”

The core functionality of “Recall” entails capturing user data to enhance context awareness. However, this comprehensive data logging includes the recording and storage of:

• Passwords and other authentication details
• Browsing history and website activity
• Multimedia files, including videos and images
• Private messages and emails

These data points may include confidential information that, if exposed or mishandled, could pose significant privacy and security risks. For users who prioritize data security or work in sensitive environments, these data collection practices can be problematic.

How to Disable the “Recall” Feature in Windows 11

Given the nature of the information “Recall” may store, users concerned about privacy or operating within strict data security protocols may choose to disable this feature. Disabling “Recall” can provide greater control over personal data and prevent potential vulnerabilities.

To disable “Recall,” follow these steps:

1. Open the Command Prompt with administrative privileges. You can do this by searching for “Command Prompt” in the Start menu, right-clicking it, and selecting Run as administrator.
2. Enter the following command to disable the feature:
3. C:\Windows\System32> Dism /Online /Disable-Feature /Featurename:Recall
4. Press Enter and wait for the process to complete. Once finished, restart your system to apply the changes.
5. Disabling “Recall” Using Microsoft Intune

For IT administrators who prefer disabling “Recall” to safeguard sensitive information for end users, Microsoft Intune offers a structured method for implementing this policy across devices. Follow the procedure below to disable “Recall”:

Procedure:

1. Navigate to Configuration Profiles:
   • Go to Devices → Windows → Configuration Profiles.
   • Create a new policy with the platform set to Windows 10 and later and the profile type set to Templates.
2. Select the Custom Template:
   • Choose Custom for the template and click Create.
3. Name and Describe the Policy:
   • Enter a name and description for the policy, then proceed to add configuration settings.
4. Configure the Settings:
   • Add a new configuration setting with the following OMA-URI:plaintextCopy code./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
   • Set the value to disable data analysis.
5. Assign and Apply Scope Tags:
   • Ensure the appropriate scope tag is selected and assign the policy to the device group(s) to which you wish to apply the configuration.
6. Set Applicability Rules:
   • Configure an applicability rule to exclude devices running Windows versions prior to Windows 11 24H2, as “Recall” is not available in earlier versions.
7. Review and Create the Policy:
   • Review the policy settings and create the configuration to deploy it to your device group(s).

Implications of Disabling “Recall”

Disabling “Recall” will prevent Windows 11 from capturing a detailed record of user interactions and analyzing them using AI. While this enhances data security, users may lose some of the personalized assistance and context-aware suggestions provided by Copilot+. IT administrators should weigh these trade-offs to decide on the best approach for their organization.

Best Practices for Windows 11 Users

For users who choose to keep “Recall” enabled but want to maintain better control over their data, consider implementing the following best practices:

1. Review Privacy Settings Regularly: Regularly audit Windows 11’s privacy settings to manage which data is shared with Microsoft services.
2. Use Built-in Security Tools: Utilize Windows Defender and other built-in tools to monitor for any potential threats.
3. Educate Team Members: If operating in an organizational setting, ensure that all users are informed about the “Recall” feature and how to manage it appropriately.

Conclusion

Microsoft’s “Recall” feature within Windows 11’s Copilot+ represents a leap forward in productivity-focused technology. However, it also underscores the need for users to remain vigilant about their data privacy and security. Disabling “Recall” can be a practical step for those prioritizing personal or professional data protection. As Windows 11 continues to evolve, understanding and managing these advanced features is key to balancing innovation with security.

In today’s digital world, cloud computing has revolutionized how businesses operate, offering flexibility and scalability. However, this shift to the cloud also comes with unique security challenges. Kali Purple is here to help you cross these challenges by providing powerful tools for vulnerability assessments and penetration tests specifically designed for cloud environments.

Understanding Cloud Security
With sensitive data and critical applications stored in the cloud, it’s vital to ensure that these virtual assets are well-protected. Kali Purple combines the best of offensive and defensive strategies, allowing security professionals to identify vulnerabilities before attackers can exploit them.

Vulnerability Assessments
Kali Purple equips users with tools like OpenVAS and Nmap, which are essential for scanning cloud infrastructures. With these tools, you can identify misconfigurations, outdated software, and other vulnerabilities that could pose risks to your cloud services. Regular assessments help ensure your cloud environment remains secure and compliant with industry standards.

Penetration Testing
Once vulnerabilities are identified, Kali Purple enables you to conduct penetration tests to simulate real-world attacks. Using tools like Metasploit, you can test the effectiveness of your security measures, assess potential risks, and gain insights into how an attacker might breach your defenses. This proactive approach is essential for improving your cloud security posture.

To master these techniques and explore the full potential of Kali Purple, check out Mastering Kali Purple – For Vulnerability Assessment and Penetration Testing by El Mostafa Ouchen. This complete guide offers step-by-step instructions and practical examples that will empower you to safeguard your cloud assets effectively. Whether you’re new to cybersecurity or an experienced professional, this book is your ultimate resource for mastering cloud security with Kali Purple. Protect your virtual assets today and stay one step ahead of cyber threats!