VMware ESXi hypervisor vulnerability grants full admin privileges

Security researchers at Microsoft have discovered a vulnerability in VMware ESXi hypervisors that has been exploited by ransomware operators to gain full administrative access to a domain-joined hypervisor.

The problem, identified as CVE-2024-37085, granted full admin privileges to members of a domain group, without proper validation. It has been used by several ransomware groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, after they gained access to a network, to deploy ransomware.

“While there are worse things that could happen in the weeks leading up to your marquee customer and partner event, a vulnerability announcement based on an exploit that was actually seen in the wild, well, that’s certainly up there,” observed John Annand, research practice lead at Info-Tech Research Group. “So, Broadcom, and Microsoft for that matter, are yet again forced to spend more time and effort on reassuring rather than inspiring customers.”

How the ‘ESXi Admins’ attack works

The attack involved the creation of a domain group called “ESX Admins” and adding a user to it. Users of this domain group, which is not a built-in group in Active Directory, and is not created by default, are automatically granted admin access by ESXi hypervisors. The hypervisors do not validate the existence of this group when they are joined to the domain, and even if the group was added later, they still treat its members as administrators. In addition, Microsoft said, group membership is determined by name, not by security identifier (SID) as it should be.

“In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function,” Microsoft researchers wrote in a blog post describing the vulnerability. “It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.”

Microsoft noted that hypervisors are increasingly popular targets for hackers, since many security products have limited visibility into them, and thus can’t offer good protection. And, it added, encrypting an ESXi hypervisor file system impacts all the virtual machines it hosts.

VMware has issued patches for the flaw, which affects ESXi 7.0 and 8.0, as well as VMware Cloud Foundation 4.x and 5.x. It also offered workarounds for users who can’t immediately update.

VMware ESXi servers were the target of a massive ransomware attack in early 2023, with more than 3,200 servers compromised worldwide, according to cybersecurity firm Censys. Previously, in 2022, double-extortion malware Cheerscrypt was found on ESXi servers by researchers from Trend Micro. ESXi has also been the target of backdoors from cyberespionage groups.

Earlier this year, VMware patched a critical flaw with its virtualized USB controllers, which impacted ESXi.

In the wake of CrowdStrike

This is yet another piece of bad news for both the vendors and their customers, who have suffered the consequences of multiple recent vulnerabilities.

“In the grand scheme of things, a vulnerability that requires one of the host Windows machines to already be compromised so as to infect the hypervisor is bad, but with a CVSS of 6.8, not as bad as it could be, and is slightly less harmful than average (7.4ish). I think the more interesting conversation is when you pair this exploit with the CrowdStrike and Microsoft vulnerability,” Annand said. 

“Right now, the security of any system overall relies on the resources and expertise of the enterprise customer. It’s hard enough holding a single vendor accountable when their software development/testing practices are found to be lacking — how on earth do you parse out the responsibility when it is the combination of multiple independent vendors?”