Microsoft has caused some noise today with CVE-2024-37085, which explains a well known feature in vSphere. A feature that has been available since vSphere 5.1 came out in September 2012 (no, that is not a typo, it is in fact 12 years old).
The feature in question is that if an ESXi host is joined to an Active Directory domain, it will by default look for an AD group called ESX Admins and grants every member of that group root access to the host (via the Web Client, not via SSH). While I happily agree that this isn’t a very good idea, it is also very well documented and explained both in the VMware vSphere documentation, and is also specifically called out in the vSphere Hardening Guides (esxi-8.ad-enable: Use Active Directory for ESXi user authentication), as well as in STIG (V-256404).
Tip
ESXi hosts are not added to Active Directory by default, so for installations where this has not been specifically configured, this is not an issue at all.
The general advice is to NOT join ESXi hosts to Active Directory, as there are near to zero valid use cases for it.
In order to exploit this feature for nefarious reasons, like the ones Microsoft hightlights, a number of prerequisites need to be in place:
a) Root access to the ESXi host(s) and a user account that can join it to AD, and create a ESX Admins AD Security group or change the advanced setting Config.HostAgent.plugins.hostsvc.esxAdminsGroup on the host to use some other security group from AD.
or
b) The host(s) needs to be AD domain-joined already and you have AD permissions to add a user account to either an existing ESX Admins Security group (or create a new one if it doesn’t already exist).
So, to be perfectly clear, you either need root access to the ESXi host(s) in question or permissions in Active Directory to be able to exploit this. And if you have ESXi root access already, why would you go to the trouble of adding an ESXi host to the domain?
As Melissa said:
Like are we missing the part where the threat actors have ad? Game over anyway.
— vmiss (@vmiss33) July 29, 2024
Tip
This behaviour is only the case when joining ESXi hosts to an Active Directory domain, and does not in any include joining VMware vCenter systems to Active Directory. vCenter does not look for, or utilize the ESX Admins Security group.
I am glad this feature is being removed by VMware by Broadcom, as it really serves no purpose any more, but to call this a security bypass vulnerability is taking it to far. It’s a feature, that works as intended and is documented with existing advisories and mitigation routines. How that warrants an official CVE is beyond my comprehension.
So I guess congratulations are in order Microsoft, you have read the official VMware documentation! Kudos!
Info
Update 30th July 2024
cyberscoop.com picked up this blog post, and asked Microsoft for comments. Read about it in Microsoft calls out apparent ESXi vulnerability that some researchers say is a ‘nothing burger’
Related Posts
- Where Did My VMware Security Advisories Go? They Went Here! — Published
- macOS: Catalina Chrome Self-signed Certificate Issues — Published
- Installing and running VMware Compliance Checker for vSphere — Published
- VMware Explore 2024 Barcelona Content Catalog Is Now Live — Published
- VMware by Broadcom Promises Free Security Updates for vSphere — Published