Fortra is actively researching an authentication bypass vulnerability in VMware – CVE-2024-37085. This vulnerability can allow an attacker to bypass Active Directory integration authentication and obtain administrative access to a host. Updates and additional mitigation steps are available.
Who is affected?
Customers using the following platforms are impacted:
- VMware ESXi 8.0 and 7.0
- VMware Cloud Foundation 5.x and 4.x
A malicious actor with sufficient Active Directory permissions can get administrative access to an ESXi host configured to use Active Directory for user management by re-creating the configured Active Directory group ('ESXi Admins' by default) after it was deleted from the Active Directly.
What can I do?
Customers are recommended to install the following updates:
- VMware ESXi 8.0 Update 3
- VMware Cloud Foundation 5.2
It is also recommended to change the following ESXi advanced options:
-
Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd
fromtrue
tofalse
-
Config.HostAgent.plugins.vimsvc.authValidateInterval
from1440
to90
-
Config.HostAgent.plugins.hostsvc.esxAdminsGroup
from"ESX Admins"
to""
Also the 'ESXi Admins' group will be added to the host with Admin privileges once the host is added to Active Directory. It is recommended to change these settings after joining the domain.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below.
Alert Logic Log Management: Alert Logic has deployed and is actively monitoring log telemetry related to known IOCs.
Alert Logic Vulnerability Scanning: Alert Logic released unauthenticated scan coverage on July 30, 2024, to identify vulnerable instances. If the vulnerability is found, an exposure (EID: 270930) will be raised for CVE-2024-37085.
Updates
Fortra has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Fortra security coverage as it becomes available.
07/30/2024: Alert Logic released unauthenticated scan coverage on July 30, 2024, at 11:00pm CT.
Comments
0 comments
Please sign in to leave a comment.