ESXi Hypervisor Vulnerability Under Active Exploitation

Summary

A threat intelligence advisory has been released by Microsoft Threat Intelligence regarding a vulnerability impacting VMware’s ESXi bare metal hypervisor. A patch has been released for the vulnerability, which is categorized as CVE-2024-37085 (CVSS 3.1: 6.8), yet it is actively being used by threat actors (i.e., Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest) in a ransomware campaign. The vulnerability is defined as an authentication bypass vulnerability, which allows a malicious actor with enough permissions to gain full access to an ESXi host through active directory (AD). This is done by re-creating the configured AD group (ESXi Admins) after it had been deleted from the active directory.

Impact

This vulnerability by itself is considered medium severity, but can be very impactful when used in tandem with other tactics because it can allow authentication bypass and administrator privileges over critical business infrastructure. Evidence indicates the vulnerability has been exploited by multiple threat actor groups.

The vulnerability impacts the ESXi v7.0, ESXi v8.0 and VMware Cloud Foundation 4.x and 5.x according to the response matrix detailed in the security advisory.

Remediation

Fixed versions have been released for ESXi v8.0 and VMware Cloud Foundation 5.x. Moving to Update 3 for ESXi and 5.2 for VMware Cloud Foundation will remediate this vulnerability.

There are also workarounds detailed in KB article 369707 that involve changing the following settings in the ESXi advanced options.

• Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
• Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
• Config.HostAgent.plugins.hostsvc.esxAdminsGroup from "ESX Admins" to ""

Recommendations

Patch - Ransomware actors use multiple vulnerabilities and there are many steps in an attack chain. Breaking any one of these steps will prevent the vulnerability from being exploited. In this case, applying patches to remediate CVE-2023-28252 or CVE-2024-37085 will break this attack chain. If any of the steps indicated below are disrupted, the attack is halted. Follow vendor instructions and apply patches where applicable to effectively disrupt this attack chain.

Mitigate - Mitigations are provided; ensure that the group ESX admins exists and is hardened against attack. Advanced host settings are also available detailed above in the remediation section.

Prioritize - This vulnerability should be remediated with a high priority. It is being exploited by multiple threat actors and a clear vendor solution is available.

Monitor and Scan - Ensure alerts are enabled and audits are done through active directory to detect anomalous behavior. Vulnerability and asset scanning is crucial in detecting exposed assets, utilizing vulnerability scanning tools such as Microsoft Defender, Qualys, and Nessus are essential to detect vulnerabilities in critical assets.

Clean Credentials - Microsoft recommends utilizing credential hygiene methods due to the attack vector for this vulnerability. The attack requires existing access to credentials with sufficient permissions to perform the exploit. Enforcing MFA, authentication without passwords, and isolating privileged accounts are all recommended.

Associated Bulletins

https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505

‍