VMware ESXi, VMware Cloud Foundation: authentication bypass (CVE-2024-37085) #shorts #breaking

CVE

This CVE relates to an authentication bypass vulnerability found in VMware ESXi. The vulnerability is about 4 months old and is categorized as a zero-day exploit, meaning it was not previously known and has no immediate fix upon discovery. Specifically, a malicious actor with the necessary Active Directory permissions can achieve full access to an ESXi host. This is possible if the ESXi host was configured to use Active Directory for user management and the attacker is able to re-create the AD group 'ESXi Admins' after it was deleted. This insidious flaw primarily targets organizations utilizing affected versions of VMware ESXi, which include versions less than ESXi80U3-24022510 and version 7.0, as well as VMware Cloud Foundation versions 5.x and 4.x.

Watch the full video on YouTube: CVE-2024-37085

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

CVE database technical details

CVE ID

CVE-2024-37085

Description

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Provider

vmware

CWE / problem types

Authentication bypass vulnerability

Affected Software Versions

n/a:VMware ESXi:[{'lessThan': 'ESXi80U3-24022510', 'status': 'affected', 'version': '8.0', 'versionType': 'custom'}, {'status': 'affected', 'version': '7.0'}],n/a:VMware Cloud Foundation:[{'status': 'affected', 'version': '5.x'}, {'status': 'affected', 'version': '4.x'}]

Date Published

2024-06-25T14:16:01.280Z

Last Updated

2024-08-02T03:43:50.997Z