Skip to main content
search
All BlogsCyber News

Critical ESXi Authentication Bypass Vulnerability Grants Full Admin Privileges – CVE-2024-37085

By August 8, 2024 No Comments

Author: Vivek Doshi, Xage Security

A vulnerability in ESXi hypervisor was uncovered by Microsoft that allows a malicious user with sufficient permissions to gain full access to a domain-joined ESXi host. The vulnerability, CVE-2024-37085, can be exploited once a user has escalated privilege through a previously successful attack.

According to Microsoft, the vulnerability has been leveraged for ransomware by different groups including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, among others.  After a successful exploit, the ransomware group can encrypt the file system as well as attack hosted VMs on those ESXi hypervisors. It can also be used to gain a foothold and then move laterally within the network.

A digital globe representing privilege escalation to global admin status via ESXi vulnerabilities

How does the “ESX Admins” attack work?

The post-compromise technique includes configuring the below commands to create an “ESX Admins” group in a domain and adding users to that group.

net group “ESX Admins” /domain /add

net group “ESX Admins” username /domain /add

The purpose of these commands is to exploit a vulnerability on domain-joined ESXi hosts that allows the user to elevate to full administrative privileges on that host. 

According to Microsoft, threat actors can exploit CVE-2024-37085 by doing one of the following:

  1. Adding the “ESX Admins” group to the domain and adding a user to it
    This method is actively exploited in the wild by the abovementioned threat actors. In this method, if the “ESX Admins” group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users in their control, to the group
  2. Renaming any group in the domain to “ESX Admins” and adding a user to the group or use an existing group member
    This method is similar to the first, but in this case the threat actor needs a user that has the capability to rename some arbitrary groups and rename one of them to “ESX Admins”. The threat actor can then add a user or use a user that already exists in the group, to escalate privileges to full administrative access. This method was not observed in the wild by Microsoft
  3. ESXi hypervisor privileges refresh
    Even if the network administrator assigns any other group in the domain to be the management group for the ESXi hypervisor, the full administrative privileges to members of the “ESX Admins” group are not immediately removed and threat actors still could abuse it. This method was not observed in the wild by Microsoft.

ESXi hypervisors are a very popular virtualization product used across enterprise networks and as a result are an appealing target for cyber criminals. In early 2023, VMware ESXi hypervisors were the target of a massive ransomware attack during which more than 3200 servers were compromised worldwide according to cybersecurity firm Censys. In 2022, researchers at Trend Micro found another linux based ransomware used to attack ESXi servers.

Additionally, ESXi hypervisors give ransomware broader reach since encrypting the hypervisor impacts all the virtual machine hosts residing in the hypervisor. Furthermore, Microsoft noted that since many security products don’t have great visibility into ESXi hypervisors they are often a popular target for threat actors

Mitigation guidance to help organizations protect their systems from CVE-2024-37085

  • Install Security updates from Broadcom: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
  • If patching is not possible in the near term, carry out the following to reduce the risk
    • Validate the group “ESX Admins” exists in the domain and is hardened
    • Manually deny access by this group by changing settings in the ESXi hypervisor itself. If full admin access for the Active Directory ESX admins group is not desired, you can disable this behavior using the advanced host setting: ‘Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd’
    • Change the admin group to a different group in the ESXi hypervisor

Xage can protect Enterprise ESXi infrastructure against CVE-2024-37085

Xage can protect ESXi hypervisors against unauthorized access if access to those ESXi hosts is made available only via Xage. Gaining access to the ESXi hosts would require users to first authenticate themselves with Xage’s web portal which supports multi-layer MFA. By requiring users to authenticate with Xage, Xage creates an additional authentication barrier before an attacker can access any ESXi host.

Xage can also restrict access to only those ESXi hosts that an admin needs to perform their duties via granular access control policies. Each subsequent access event can require a new MFA challenge to add layers of security to critical hosts and domains. By limiting the ESXi hosts that an admin can access, Xage reduces the attack surface and unauthorized access to the hosts.

Moreover, with help of Xage’s just-in-time feature, access to vCenter, ESXi hosts, and other privileged resources can be time bound and granted only when needed to perform tasks. Instead of granting perpetual access to ESXi hosts, the just-in-time feature helps enterprise admins by requiring their privileged users to request permission every time to access critical systems and within a limited time window. 

With Xage, admins can also configure per device MFA. With this feature, an admin will have to authenticate every time when accessing a device which has MFA enabled. This capability adds an additional layer of defense against MFA fatigue attacks. When combined with just-in-time features, this makes it more difficult for unauthorized access to ESXi hosts.  

Hypervisors Continue to Be a Target

The authentication bypass vulnerability is the latest vulnerability in ESXi hypervisors but won’t be the last. Given the popularity of the ESXi platform and its tight integration with other IT/OT systems in major organizations, ESXi hypervisors will always remain an appealing target of cyber attackers. With increase in attacks that lead to initial access or full admin control, organizations must proactively protect themselves against the increase in vulnerability exploits.

Any vulnerability, even though complex to exploit, that could grant an attacker full admin access to a system should be patched as soon as possible. However, patching is not always simple and takes time in identifying and inventorying all impacted ESXi systems. Moreover, with no patches planned for ESXi version 7.0, limiting access to hosts running the version via granular policies and putting checks in place become paramount for security teams. Comprehensively restricting access to critical infrastructure based on the principle of least privilege and providing access only via explicit trust, are the pillars of Xage’s zero trust approach that helps organizations prevent exploits from being compromised by cyber adversaries. 

With Xage, trust is never assumed but always verified every time a user connects to an asset or a system. Learn more about Xage Zero Trust Access and Protection.