A critical vulnerability identified as CVE-2024-37085 affects VMware ESXi and VMware Cloud Foundation. The flaw is located in the Active Directory integration component of these products. Exploiting this vulnerability allows attackers to gain full administrative access to ESXi hosts configured to use Active Directory for user management by manipulating the "ESX Admins" group. This vulnerability has been actively exploited in the wild, particularly by ransomware groups, to escalate privileges and encrypt downstream file systems.
The vulnerability principle of CVE-2024-37085 lies in an authentication bypass issue in VMware ESXi hypervisors that are integrated with Active Directory for user management. The vulnerability allows attackers to gain full administrative access to ESXi hosts by manipulating the Active Directory group configurations associated with the ESXi hosts. Specifically, when an ESXi hypervisor is joined to an Active Directory domain, it incorrectly grants full administrative privileges to any members of a domain group named "ESX Admins," even if the group did not originally exist. Attackers can exploit this flaw by creating or renaming a group to "ESX Admins" and adding themselves or other users to this group, thereby escalating their privileges to full administrative control over the ESXi hypervisor and the virtual machines it hosts. This vulnerability has been exploited in zero-day attacks by ransomware groups to obtain administrative permissions and encrypt downstream file systems .
Risks:
Affected Manufacturers and Products: This vulnerability affects VMware's ESXi and Cloud Foundation products:
Vulnerability Exploitation Method
The exploitation of CVE-2024-37085 involves manipulating the Active Directory (AD) integration in VMware ESXi hypervisors. Attackers can exploit this vulnerability by creating or renaming groups within AD to escalate privileges and gain administrative control over ESXi hypervisors. Here are the steps involved:
Creating the "ESX Admins" Group:
Renaming an Existing Group:
Maintaining Privileges:
Vulnerability POC
Proof of Concept Code:
Command Lines:
bashnet group "ESX Admins" /domain /add net group "ESX Admins" username /domain /add
URLs to POC Code:
The vulnerability CVE-2024-37085 in VMware ESXi has been actively exploited by multiple ransomware groups. This vulnerability, stemming from an authentication bypass in Active Directory integration, allows attackers to gain full administrative control over domain-joined ESXi hypervisors. The exploitation method typically involves creating or renaming a domain group to "ESX Admins," which is then automatically granted full administrative access by the ESXi hypervisor. This vulnerability has been leveraged to escalate privileges and carry out extensive damage on the network by encrypting file systems of the hypervisors and the virtual machines they host .
Exploitation timeline:
Exploiting Gang Information:
| Gang Name | Description |
|---|---|
| Storm-0506 | Identified in using CVE-2024-37085 for privilege escalation in ransomware attacks, notably targeting North American engineering firms . |
| Storm-1175 | Known to support or sell ESXi encryptors and involved in exploiting CVE-2024-37085 . |
| Octo Tempest | Actively using the vulnerability to gain administrative control over ESXi hypervisors . |
| Manatee Tempest | Engaging in ransomware operations exploiting CVE-2024-37085 . |
The official fix for CVE-2024-37085 has been released. Broadcom issued an advisory on June 25, 2024, addressing the vulnerability in VMware ESXi hypervisors. This fix was part of a broader update that also addressed other vulnerabilities .
The method of fixing CVE-2024-37085 involves updating to the latest patched version of VMware ESXi. Specifically, administrators should update to ESXi 8.0 U3 or VMware Cloud Foundation 5.x. For those who cannot immediately apply the update, Broadcom has provided a workaround that includes modifying several advanced ESXi settings to enhance security. The workaround highlights that, in versions prior to ESXi 8.0 U3, certain default settings are insecure. The fix and workaround details can be found in Broadcom's advisory.
In summary, here are the patch links in a table format:
| Product | Version | Patch Link |
|---|---|---|
| VMware ESXi | 8.0 U3 | ESXi80U3-24022510 |
| VMware Cloud Foundation | 5.x | Cloud Foundation 5.2 |
A critical vulnerability identified as CVE-2024-37085 affects VMware ESXi and VMware Cloud Foundation. The flaw is located in the Active Directory integration component of these products. Exploiting this vulnerability allows attackers to gain full administrative access to ESXi hosts configured to use Active Directory for user management by manipulating the "ESX Admins" group. This vulnerability has been actively exploited in the wild, particularly by ransomware groups, to escalate privileges and encrypt downstream file systems.
The vulnerability principle of CVE-2024-37085 lies in an authentication bypass issue in VMware ESXi hypervisors that are integrated with Active Directory for user management. The vulnerability allows attackers to gain full administrative access to ESXi hosts by manipulating the Active Directory group configurations associated with the ESXi hosts. Specifically, when an ESXi hypervisor is joined to an Active Directory domain, it incorrectly grants full administrative privileges to any members of a domain group named "ESX Admins," even if the group did not originally exist. Attackers can exploit this flaw by creating or renaming a group to "ESX Admins" and adding themselves or other users to this group, thereby escalating their privileges to full administrative control over the ESXi hypervisor and the virtual machines it hosts. This vulnerability has been exploited in zero-day attacks by ransomware groups to obtain administrative permissions and encrypt downstream file systems .
Risks:
Affected Manufacturers and Products: This vulnerability affects VMware's ESXi and Cloud Foundation products:
Vulnerability Exploitation Method
The exploitation of CVE-2024-37085 involves manipulating the Active Directory (AD) integration in VMware ESXi hypervisors. Attackers can exploit this vulnerability by creating or renaming groups within AD to escalate privileges and gain administrative control over ESXi hypervisors. Here are the steps involved:
Creating the "ESX Admins" Group:
Renaming an Existing Group:
Maintaining Privileges:
Vulnerability POC
Proof of Concept Code:
Command Lines:
net group "ESX Admins" /domain /add
net group "ESX Admins" username /domain /add
URLs to POC Code:
The vulnerability CVE-2024-37085 in VMware ESXi has been actively exploited by multiple ransomware groups. This vulnerability, stemming from an authentication bypass in Active Directory integration, allows attackers to gain full administrative control over domain-joined ESXi hypervisors. The exploitation method typically involves creating or renaming a domain group to "ESX Admins," which is then automatically granted full administrative access by the ESXi hypervisor. This vulnerability has been leveraged to escalate privileges and carry out extensive damage on the network by encrypting file systems of the hypervisors and the virtual machines they host .
Exploitation timeline:
Exploiting Gang Information:
| Gang Name | Description |
|---|---|
| Storm-0506 | Identified in using CVE-2024-37085 for privilege escalation in ransomware attacks, notably targeting North American engineering firms . |
| Storm-1175 | Known to support or sell ESXi encryptors and involved in exploiting CVE-2024-37085 . |
| Octo Tempest | Actively using the vulnerability to gain administrative control over ESXi hypervisors . |
| Manatee Tempest | Engaging in ransomware operations exploiting CVE-2024-37085 . |
The official fix for CVE-2024-37085 has been released. Broadcom issued an advisory on June 25, 2024, addressing the vulnerability in VMware ESXi hypervisors. This fix was part of a broader update that also addressed other vulnerabilities .
The method of fixing CVE-2024-37085 involves updating to the latest patched version of VMware ESXi. Specifically, administrators should update to ESXi 8.0 U3 or VMware Cloud Foundation 5.x. For those who cannot immediately apply the update, Broadcom has provided a workaround that includes modifying several advanced ESXi settings to enhance security. The workaround highlights that, in versions prior to ESXi 8.0 U3, certain default settings are insecure. The fix and workaround details can be found in Broadcom's advisory.
In summary, here are the patch links in a table format:
| Product | Version | Patch Link |
|---|---|---|
| VMware ESXi | 8.0 U3 | ESXi80U3-24022510 |
| VMware Cloud Foundation | 5.x | Cloud Foundation 5.2 |
| IOC | Judge | Tags |
|---|---|---|
| CVE-2024-37085 | High | CVSS 7.2 | KEV | PoC Disclosure |