www.belgium.be Logo of the federal government

WARNING: VMWARE ESXI CVE-2024-37085 IS ACTIVELY EXPLOITED, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-117
Version: 
1.0
Affected software: 
VMWare ESXi: v7.x & < v8.0 Update 3
VMware Cloud Foundation: v4.x & < v5.2
Type: 
Authentication bypass
CVE/CVSS: 

CVE-2024-37085: CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

Sources

Official manufacturer - https://support.broadcom.com/web/ecx/support-content-notification/-/exte...

NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-37085

Risks

The premise of CVE-2024-37085 is that domain-joined ESXi will automatically check for a certain Active Directory group. If the group name exists, all members of that group will be granted admin privileges over the ESXi server.

A malicious actor with sufficient Active Directory (AD) permissions can set up the group, resulting in all AD group members gaining administrator privileges and thus full control over the ESXi server. According to Microsoft this vulnerability is actively exploited in the wild to deploy ransomware.

Description

VMWare ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines.

The vulnerability, identified as CVE-2024-37085, only affects domain-joined hypervisors. It concerns a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Microsoft researchers identified three methods for exploiting this vulnerability:

  • Adding the involved group to the domain and adding a user to it
  • Renaming any group in the domain and adding a user to the group or use an existing group member
  • ESXi hypervisor privileges refresh

Please note each vendor has stated a different group name targeted for exploitation. Broadcom documentation indicates that ESXi will grant admin access to any users in an Active Directory group called “ESXi Admins”, while Microsoft makes no mention of “ESXi Admins” and instead advises to be on the lookout for “ESX Admins”. Clarification by the vendor is expected in the near future.

According to Microsoft researchers CVE-2024-37085 is being exploited by several ransomware operators.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.

Mitigate

Harden your installation by changing the default insecure settings. Implement the vendor guidelines documented in KB369707.

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices, after thorough testing. Since the vendor has indicated no patch is planned for older versions, a major update might be required to remediate CVE-2024-37086.

Monitor/Detect

The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion. Pending vendor clarification, please monitor for the creation/modification of both "ESX Admins" and "ESXi Admins".

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Microsoft - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-oper...

Rapid7 AttackerDB - https://attackerkb.com/topics/2llWJbMF0o/cve-2024-37085

Vendor Knowledge Base - https://knowledge.broadcom.com/external/article/369707/

Sean Metcalf (adsecurity.org) - https://x.com/PyroTek3/status/1817976511150145999