Microsoft researchers have recently uncovered a severe vulnerability in VMware ESXi hypervisors, designated as CVE-2024-37085. This critical flaw allows unauthorized users to gain full administrative access to domain-joined ESXi hypervisors by exploiting a security oversight related to domain group validation. Specifically, the vulnerability arises when a domain group named “ESX Admins” is created, which the hypervisors incorrectly recognize as an administrator group. This issue occurs because the hypervisors fail to validate the existence of this group properly, granting its members unrestricted admin privileges regardless of whether the group was created later.
The exploitation of this vulnerability has been observed in several ransomware attacks, with groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest taking advantage of the flaw to deploy their malicious software. By gaining full administrative control over the ESXi hypervisor, these attackers can encrypt the hypervisor’s file system, leading to severe disruptions in the operation of all virtual machines hosted on the compromised hypervisor. This encryption not only affects the functionality of the virtual machines but also poses significant risks of data loss and can facilitate further lateral movement within the network, making the impact of the attack potentially extensive.
In response to the identified vulnerability, VMware has issued patches for affected versions of its hypervisor software, including ESXi 7.0, 8.0, and VMware Cloud Foundation versions 4.x and 5.x. For users who are unable to apply these patches immediately, VMware has provided interim workarounds to mitigate the risk. The release of these updates is a crucial step in addressing the security flaw and protecting systems from potential exploitation. Organizations are strongly advised to implement these patches and follow best practices for securing their virtualization environments to prevent similar incidents.
This discovery is part of a broader pattern of vulnerabilities impacting VMware products, emphasizing the critical need for vigilance and robust security measures. Earlier this year, a significant ransomware attack targeted over 3,200 ESXi servers globally, highlighting the ongoing threats to virtualization platforms. Additionally, previous vulnerabilities, such as the critical flaw in virtualized USB controllers, have further underscored the importance of maintaining up-to-date security practices. The evolving threat landscape reinforces the need for comprehensive security strategies and effective collaboration among vendors to safeguard essential infrastructure against sophisticated cyber threats.
Reference:
