CVE-2024-37085 - VMware EXSi

September 23, 2024 Celia Catalán

On July 30, Microsoft published an article on its threat intelligence blog warning of the discovery of a new vulnerability. This affects VMware's EXSi hypervisors and they say they have detected several ransomware operating groups that have taken advantage of it.

Vulnerability analysis

It has been identified as CVE-2024-37085 and is an Active Directory integration authentication bypass vulnerability that affects VMware EXSi hypervisors.

ESXi hypervisors host virtual machines that can include critical servers in a network. In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the malicious agent can encrypt the file system, which can impact the ability of hosted servers to run and function. It also allows the attacker to access hosted virtual machines and possibly exfiltrate data or move laterally within the network.

It should be noted that ESXi should not be exposed to the internet, so attackers must have prior access to the target environment to be able to exploit the vulnerability and escalate privileges.

Several ransomware operators such as Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest are deploying ransomware known as Akira and Black Basta in their attacks. The attack technique includes the following commands:

Terminal


                net group “ESX Admins” /domain /add
		net group “ESX Admins” username /domain /add

Detailed analysis of the attack revealed that VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group called “ESX Administrators” to have full administrative access by default. This group is not an Active Directory-integrated group and does not exist by default. ESXi hypervisors do not validate the existence of such a group when the server joins a domain and continue to treat any member of a group with this name with full administrative access, even if the group did not originally exist.

Three exploitation methods were identified in the investigation:

Adding the “ESX Admins” group to the domain and adding a user to it: This method is actively exploited by the threat actors mentioned above. In this method, if the “ESX Admins” group does not exist, any user in the domain with the ability to create a group can escalate privileges to full administrative access to the ESXi hypervisors joined to the domain by creating such a group and then adding themselves or others users under your control to the group.
Rename any group in the domain to “ESX Administrators” and add a user to the group or use an existing member of the group: This method is similar to the first, but in this case the threat actor needs a user who has the ability to rename some arbitrary groups and rename one of them to “ESX Administrators”. The threat actor can then add a user or use a user that already exists in the group to escalate privileges to full administrative access. Microsoft did not observe this method in practice.
ESXi Hypervisor Privilege Update: Even if the network administrator assigns any other group in the domain as the ESXi hypervisor management group, the full administrative privileges of members of the “ESX Administrators” group are not immediately removed and security actors threats could still abuse them. Microsoft did not observe this method in practice.

Exploitation of the vulnerability allows attackers with sufficient Active Directory (AD) permissions to gain full access to an ESXi host, which was previously configured to use AD for user management, by recreating the configured AD group ('ESXi Administrators ' by default) after it was removed from Active Directory

Mitigation Guidance

The product versions affected by this vulnerability are:

VMware ESXi 8.0 (fixed in ESXi80U3-24022510)
VMware ESXi 7.0 (no patches planned)
VMware Cloud Foundation 5.x (corrected to 5.2)
VMware Cloud Foundation 4.x (no patches planned)

For mitigation, it is recommended to apply the security update published by VMware, although it is also recommended to follow the following guidelines:

If you cannot update the software, you can follow the following recommendations to reduce the risk:

Validate that the “ESX Admins” group exists on the domain and is protected.
Manually deny access to this group by modifying the configuration on the ESXi hypervisor itself. If you do not want the Active Directory ESX administrators group to have full administrator access, you can disable this behavior using advanced host settings:

Terminal


                'Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd'.

Change the management group to a different group on the ESXi hypervisor.
Add custom detections in XDR/SIEM for the new group name.
Configure sending ESXi logs to a SIEM system and monitor for suspicious full administrative access.

Credential Sanitation: To use the different vulnerability methods, threat actors need to control an elevated user in the organization. Therefore, our recommendation is to make sure you protect elevated accounts in your organization, especially those that can manage other domain groups:

Enforce multi-factor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly enforce MFA on all devices, in all locations, always.
Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless authentication. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA.
Isolate privileged accounts from productivity accounts to protect administrative access to the environment.

Improve the posture of critical assets: Identify your critical assets in the network, such as ESXi hypervisors and vCenters (a centralized platform for controlling VMware vSphere environments), and ensure you protect them with the latest security updates, monitoring procedures appropriate backup and recovery plans.
Identify vulnerable assets: Implement authenticated scans of network devices using SNMP through the Microsoft Defender portal to identify vulnerabilities in network devices such as ESXi and receive security recommendations.

Conclusion

Aside from all these guidelines, Broadcom (owner of VMware) has warned about the vulnerability in a statement, which includes a link to a workaround that modifies several advanced ESXi settings to make them more secure; the workaround page notes that for all versions of ESXi (prior to ESXi 8.0 U3), “several advanced ESXi settings have default values that are not secure by default. The “ESX Administrators” AD group is automatically assigned the VIM Administrator role when an ESXi host is joined to an Active Directory domain.”

Javier Muñoz , cybersecurity analyst at Zerolynx

return to blog