Latest Broadcom ESXi vulnerabilities
Broadcom has disclosed a vulnerability in their ESXi product that involves a domain group that could contain members that are granted full administrative access to the ESXi hypervisor host by default without proper validation.
CVE-2024-37085 is rated medium with CVSS score of 6.8 and allows an attacker with sufficient Active Directory (AD) permissions to bypass authentication.
What is the impact?
A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD. The three ways this can be exploited are:
1. Creating the AD group ‘ESX Admins’ to the domain and adding a user to it (known to be exploited in the wild)
2. Renaming another AD group in the domain to ‘ESX Admins’ and adding a new or existing user to it
3. Refreshing the privileges in the ESXi hypervisor when the ‘ESX Admin’ group is unassigned as the management group.
Are updates or workarounds available?
Product | Version | Fixed Version | Workarounds |
ESXi | 8.0 | ||
ESXi | 7.0 | No Patch Planned | |
VMware Cloud Foundation | 5.x | ||
VMware Cloud Foundation | 4.x | No Patch Planned |
How to find potentially vulnerable systems runZero
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
os:ESXiAdditionally, using the runZero VMware integration, use the following query to locate virtual machines running inside VMware, which could be potential sources of exploitation:
source:vmware or source:broadcomAbout Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
