VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)
Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to them and encrypt their file system.
VMware owner Broadcom has released a fix for CVE-2024-37085 on June 25, 2024 and credited Microsoft’s researchers for flagging it, but did not mention that the vulnerability – at that time, a zero-day – was under active exploitation.
Attackers exploiting CVE-2024-37085
“ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network,” Microsoft’s threat analysts explained.
Ransomware operators have been using custom Linux versions of the Akira, Black Basta, Babuk, Lockbit, and other encryptors to encrypt VMware ESXi virtual machines, but leveraging ESXi vulnerabilities such as CVE-2024-37085 means easy encryption of multiple virtual machines (VMs) in one fell swoop.
According to Microsoft’s analysts, ransomware operators like Storm-0506, Storm-1175, Manatee Tempest, and Octo Tempest have been exploiting CVE-2024-37085 after gaining access to AD domain controllers by compromising credentials of domain administrators.
They would then create a group named “ESX Admins” in the domain and add a user to it, which automatically conferred to that user (i.e., the threat actor) full administrative access on the ESXi hypervisor.
“This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist. Additionally, the membership in the group is determined by name and not by security identifier (SID),” Microsoft’s researchers noted.
They subsequently also found that the same thing can be achieved by renaming any group in the domain to “ESX Admins” and adding a user to the group or using an existing group member.
What to do?
Full administrative access to an ESXi hypervisors means that before encrypting the file system, attackers can also access the hosted VMs and exfiltrate data from them.
CVE-2024-37085 has been fixed in ESXi 8.0 Update 3 and VMware Cloud Foundation 5.2. It won’t be fixed in ESXi 7.0 and VMware Cloud Foundation v4.x, but a workaround is available.
Admins are advised to upgrade their installations as soon as possible and check for suspicious modifications to the ESX Admins group (or its unsanctioned creation).
UPDATE (July 30, 2024, 09:40 a.m. ET):
“The premise of the vulnerability is that domain-joined ESXi will automatically check for a certain Active Directory group. If the group name exists, all members of that group will be granted admin privileges over the ESXi server,” Rapid7 vulnerability researcher Ryan Emmons further explained.
This was a documented feature / default configuration that admins were instructed to keep in mind and work around, and the risk this issue posed was publicly documented years ago.