Full Report
Microsoft researchers have discovered a vulnerability in ESXi hypervisors, identified as CVE-2024-37085. This flaw is being exploited by ransomware operators to gain full administrative access to domain-joined ESXi hypervisors, enabling them to encrypt file systems, access hos...
Analysis Summary
# Vulnerability: ESXi Hypervisor Privilege Escalation via Group Naming
## CVE Details
- CVE ID: CVE-2024-37085
- CVSS Score: Not explicitly provided, but exploitation results in **Full Administrative Access**. (Severity implied as Critical based on impact)
- CWE: Weakness related to improper authentication/authorization based on object name rather than ID.
## Affected Systems
- Products: VMware ESXi Hypervisors
- Versions: Specific vulnerable versions are not detailed in the provided context, but the flaw affects **domain-joined ESXi hypervisors**.
- Configurations: Exploitation relies on an Active Directory domain configuration where a group named "ESX Admins" exists or is created/relabeled.
## Vulnerability Description
The vulnerability stems from ESXi hypervisors incorrectly granting full administrative privileges to members of a domain group named exactly "ESX Admins". This occurs because the hypervisor validates group membership based on the group's common name within Active Directory instead of relying on a unique Security Identifier (SID). This misconfiguration allows an attacker who can create or rename a domain group to "ESX Admins" to gain full administrative control over domain-joined ESXi hosts. Exploitation can occur via direct creation, renaming an existing group, or leveraging delayed privilege refresh mechanisms.
## Exploitation
- Status: **Exploited in the wild** (Used by ransomware operators like Storm-0506 and Storm-1175).
- Complexity: Implied **Medium** (Requires domain context and ability to manipulate group names).
- Attack Vector: Network (once initial access is gained, privilege escalation is achieved via manipulation of AD group names visible over the network).
## Impact
- Confidentiality: **High** (Access to hosted virtual machines and sensitive data).
- Integrity: **High** (Ability to encrypt file systems and manipulate VM states).
- Availability: **High** (Mass encryption leading to denial of service via ransomware).
## Remediation
### Patches
- **Update ESXi to the most recent versions** (Specific version numbers are not listed, but patch deployment is the primary recommendation).
### Workarounds
- Remove/rename any existing domain group named "ESX Admins" that is not intentionally intended for privilege elevation.
- Ensure ESXi privilege refresh mechanisms do not allow immediate takeover upon group renaming. (Note: The context implies patching is necessary due to the fundamental reliance on group naming).
## Detection
- **Indicators of Compromise (IOC):** Observed post-exploitation tools include Qakbot, Cobalt Strike, BlackBasta ransomware, SystemBC, and Pypikatz.
- **Detection methods and tools:** Monitoring for unexpected ESXi administrative access originating from domain accounts that should not possess specific administrative rights, and auditing Active Directory for the creation or renaming of groups to "ESX Admins".
## References
- Microsoft Security Blog: hxxps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-for-mass-encryption/