VMware ESXi Active Directory Integration Authentication Bypass (Moderate)
Tuesday July 30, 2024
VMware ESXi contains an authentication bypass vulnerability, CVE-2024-37085, that has been actively exploited as a zero-day by several ransomware operators. When exploited, the attackers gain full administrative permissions on Active Directory (AD) domain-joined ESXi hypervisors, allowing them to mass encrypt entire file systems. The vulnerability has a CVSS base score of 6.8. The advisory can be read on Broadcom‘s site.
Impacted products
- VMware ESXi
- VMware vCenter Server
- VMware Cloud Foundation
Remediation
Update to the fixed version as soon as possible, for ESXi this is version 8.0 Update 3, which can be found here, for VMware Cloud Foundation the fixed version is 5.2, found here.
For more guidelines on how to protect your network from attacks in addition to applying the security updates by VMware, we refer to Microsoft’s post (under “Mitigation and protection guidance”).
Customers with Defender for Endpoint and/or Defender for Identity should be on the lookout for these alerts that may indicate threat activity associated with this vulnerability:
- Suspicious modifications to ESX Admins group
- New group added suspiciously
- Suspicious Windows account manipulation
- Compromised account conducting hands-on-keyboard attack
- Suspicious creation of ESX group
Workaround
KB369707 lists in-product workarounds for this CVE.
Resources
A detailed post by Microsoft was published on July 29 and presents an analysis of the CVE, details of an observed attack, and further mitigation and protection guidance: https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
Broadcom’s advisory: https://knowledge.broadcom.com/external/article?legacyId=1025569
NIST Vulnerability Database entry: https://nvd.nist.gov/vuln/detail/CVE-2024-37085
AttackerKB article: https://attackerkb.com/topics/2llWJbMF0o/cve-2024-37085