VMWare Active Directory Vulnerability

Published on 30-Jul-2024
Updated:
17-Jan-2025
Status:
 
Closed
CVEs:
CVE-2024-37085

Fortra is actively researching an authentication bypass vulnerability in VMware – CVE-2024-37085. This vulnerability can allow an attacker to bypass Active Directory integration authentication and obtain administrative access to a host. Updates and additional mitigation steps are available.

Who is affected?

Customers using the following platforms are impacted:

  • VMware ESXi 8.0 and 7.0
  • VMware Cloud Foundation 5.x and 4.x

A malicious actor with sufficient Active Directory permissions can get administrative access to an ESXi host configured to use Active Directory for user management by re-creating the configured Active Directory group ('ESXi Admins' by default) after it was deleted from the Active Directly.

What can I do?

Customers are recommended to install the following updates:

  • VMware ESXi 8.0 Update 3
  • VMware Cloud Foundation 5.2

It is also recommended to change the following ESXi advanced options:

  • Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
  • Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
  • Config.HostAgent.plugins.hostsvc.esxAdminsGroup from "ESX Admins" to ""

Also the 'ESXi Admins' group will be added to the host with Admin privileges once the host is added to Active Directory. It is recommended to change these settings after joining the domain.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities in addition to those listed below.

Alert Logic Log Management: Alert Logic has deployed and is actively monitoring log telemetry related to known IOCs.

Alert Logic Vulnerability Scanning: Alert Logic released unauthenticated scan coverage on July 30, 2024, to identify vulnerable instances. If the vulnerability is found, an exposure (EID: 270930) will be raised for CVE-2024-37085.

Fortra VM: Fortra VM released unauthenticated scan coverage on July 11, 2024, via scanner version 4.46.0. If the vulnerability is found, vulnerability 160189 "VMware Security Advisory: VMSA-2024-0013" will be raised for CVE-2024-37085. 

Tripwire IP360: Tripwire released authenticated scan coverage on July 10, 2024, to identify vulnerable instances. If the vulnerability is found, Tripwire vulnerability 643622 will match for CVE-2024-37085.

Updates

Fortra has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Fortra security coverage as it becomes available.

07/30/2024: Alert Logic released unauthenticated scan coverage on July 30, 2024, at 11:00pm CT. 

Recent Emerging Threats
:
Unauthenticated File Upload in SAP NetWeaver
:
CrushFTP Authentication Bypass
:
Multiple Vulnerabilities Impacting VMware ESXi, Workstation, and Fusion Updates
:
Multiple Vulnerabilities Impacting ingress-nginx Controller for Kubernetes
:
Multiple Vulnerabilities Impacting rsync
Security Alerts in Your Inbox. We will watch for emerging threats; you can watch for our email.