VMware vSphere CVE-2024-37085 - A Nothing Burger

Published by Christian Mohn · Read in about 3 min (519 words)

Microsoft has caused some noise today with CVE-2024-37085, which explains a well known feature in vSphere. A feature that has been available since vSphere 5.1 came out in September 2012 (no, that is not a typo, it is in fact 12 years old).

The feature in question is that if an ESXi host is joined to an Active Directory domain, it will by default look for an AD group called ESX Admins and grants every member of that group root access to the host (via the Web Client, not via SSH). While I happily agree that this isn’t a very good idea, it is also very well documented and explained both in the VMware vSphere documentation, and is also specifically called out in the vSphere Hardening Guides (esxi-8.ad-enable: Use Active Directory for ESXi user authentication), as well as in STIG (V-256404).

Tip

ESXi hosts are not added to Active Directory by default, so for installations where this has not been specifically configured, this is not an issue at all.

The general advice is to NOT join ESXi hosts to Active Directory, as there are near to zero valid use cases for it.

In order to exploit this feature for nefarious reasons, like the ones Microsoft hightlights, a number of prerequisites need to be in place:

a) Root access to the ESXi host(s) and a user account that can join it to AD, and create a ESX Admins AD Security group or change the advanced setting Config.HostAgent.plugins.hostsvc.esxAdminsGroup on the host to use some other security group from AD.

or

b) The host(s) needs to be AD domain-joined already and you have AD permissions to add a user account to either an existing ESX Admins Security group (or create a new one if it doesn’t already exist).

So, to be perfectly clear, you either need root access to the ESXi host(s) in question or permissions in Active Directory to be able to exploit this. And if you have ESXi root access already, why would you go to the trouble of adding an ESXi host to the domain?

As Melissa said:

Tip

This behaviour is only the case when joining ESXi hosts to an Active Directory domain, and does not in any include joining VMware vCenter systems to Active Directory. vCenter does not look for, or utilize the ESX Admins Security group.

I am glad this feature is being removed by VMware by Broadcom, as it really serves no purpose any more, but to call this a security bypass vulnerability is taking it to far. It’s a feature, that works as intended and is documented with existing advisories and mitigation routines. How that warrants an official CVE is beyond my comprehension.

So I guess congratulations are in order Microsoft, you have read the official VMware documentation! Kudos!

Info

Update 30th July 2024
cyberscoop.com picked up this blog post, and asked Microsoft for comments. Read about it in Microsoft calls out apparent ESXi vulnerability that some researchers say is a ‘nothing burger’

Post last updated on August 1, 2024: Update VMware-vSphere-CVE-2024-37085.md

About

vNinja.net is the digital home of Christian Mohn and Stine Elise Larsen.

The primary focus is on IT architecture and data center technologies like virtualization and related topics, but other content also pops up from time to time.

Sponsors