CVE-2024-37085 in ESXi
Summary
by MITRE • 06/25/2024
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/09/2024
This vulnerability represents a critical authentication bypass flaw in VMware ESXi systems that leverages the trust relationship between the hypervisor and Active Directory infrastructure. The vulnerability stems from the design assumption that once an ESXi host is configured to use Active Directory for user management, the system will maintain consistent authentication state regardless of changes made to the directory service. When an administrator deletes the configured AD group such as the default 'ESXi Admins' group, the system should ideally reject any subsequent authentication attempts from users who were previously granted administrative privileges. However, the flaw allows a malicious actor with sufficient AD permissions to recreate the deleted group with the same name and membership, effectively bypassing the intended security controls. This vulnerability specifically impacts ESXi hosts that have been configured to delegate user management to Active Directory, a common configuration pattern in enterprise environments where centralized identity management is preferred.
The technical implementation of this flaw occurs at the authentication validation layer within ESXi's directory service integration mechanism. When an AD group is deleted from the directory, the ESXi host maintains a cached reference to the group that may not be properly invalidated or revalidated upon group recreation. The system's authentication process does not adequately verify that the recreated group maintains the same security context as the original, allowing the malicious actor to exploit the temporal window between group deletion and the system's recognition of the change. This behavior aligns with CWE-287 which addresses improper handling of authentication tokens and session management, specifically focusing on situations where authentication state is not properly reset or validated after configuration changes. The vulnerability essentially creates a race condition in the authentication system where the host's internal state becomes inconsistent with the actual directory service state, enabling unauthorized access through legitimate authentication pathways.
The operational impact of this vulnerability extends beyond simple privilege escalation to represent a fundamental breach in the security model of ESXi host management. An attacker with sufficient AD permissions can effectively circumvent the intended administrative controls by simply recreating the deleted group, thereby gaining full administrative access to the ESXi host without detection. This creates a persistent backdoor that remains active until the host is rebooted or the system is manually reconfigured to properly invalidate the cached authentication state. The attack vector is particularly concerning because it requires minimal privileges to execute - only the ability to create AD groups, which is often available to domain administrators or delegated security personnel. This aligns with ATT&CK technique T1078.002 which covers valid accounts with additional privileges, where the attacker leverages legitimate administrative capabilities to maintain access. The vulnerability undermines the principle of least privilege and can be exploited to establish persistent access to virtual infrastructure, potentially enabling further attacks such as lateral movement within the virtual environment or data exfiltration from virtual machines.
Mitigation strategies for this vulnerability should focus on implementing proper group lifecycle management and enhancing the authentication validation process within ESXi systems. Administrators should regularly audit and monitor AD group configurations, particularly those related to host management, to detect unauthorized group recreation attempts. VMware recommends implementing additional security controls such as configuring ESXi hosts to use local authentication as a backup mechanism, implementing strict group naming conventions, and establishing automated monitoring for group creation/deletion events. Organizations should also consider implementing privileged access management solutions that can detect and prevent unauthorized group recreation activities. The vulnerability highlights the importance of proper session management and authentication state validation, particularly in distributed systems where external identity providers are integrated. Regular system updates and patches from VMware are essential to address this flaw, as the vulnerability exists in the fundamental authentication handling mechanism of the ESXi platform. Additionally, implementing network segmentation and monitoring solutions can help detect suspicious authentication patterns that might indicate exploitation attempts. Security teams should also consider implementing zero-trust principles for host management, requiring additional verification steps beyond simple group membership for administrative access, thereby reducing the impact of such authentication bypass vulnerabilities.