A Denial of Service vulnerability threatens the availability of virtual Domain Controllers on VMware ESXi (VMSA-2024-0011, Important, CVE-2024-22273)

Reading Time: 2 minutes

Virtualization

This week, Broadcom VMware released an update that addresses a vulnerability in ESXi. This vulnerability could be abused to negatively impact the availability of virtual Domain Controllers running on ESXi hosts.

Note: 
The vulnerability exists in VMware Cloud Foundation, too.

The vulnerability was responsibly disclosed to Broadcom VMware.

 

About the DoS vulnerability

The vulnerability that an adversary can abuse to negatively impact the availability of virtual Domain Controllers running on ESXi hosts is a Denial of Service (DoS) vulnerability in the storage controllers on VMware ESXi, Workstation, and Fusion. These controllers have an out-of-bounds read/write vulnerability.

VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1 on VMware Workstation and VMware Fusion, and a CVSSv3 base score of 7.4 on VMware ESXi and VMware Cloud Foundation.

The vulnerability is tracked as CVE-2024-22273.

How an adversary could abuse the vulnerability

An adversary with access to a virtual machine with storage controllers enabled may exploit this issue to create a denial of service condition. In conjunction with other issues, an adversary could even execute code on the hypervisor from a virtual machine.

Workarounds

There are no workarounds available

Responsibly disclosed

Hao Zheng (@zhz) and Jiaqing Huang (@s0duku) from TianGong Team of Legendsec at Qi'anxin Group have responsibly disclosed the vulnerability to Broadcom VMware.

 

The link to virtual Domain Controllers

Many Active Directory Domain Controllers run as virtual machines on top of VMware ESXi.

Abusing the vulnerability, an adversary can make the ESXi host unavailable from within a virtual machines running on the ESXi host. As virtual Domain Controllers typically run on ESXi hosts that also host other virtual machines, abusing the vulnerability may negatively affect the Active Directory database and Group Policy settings, including replicating these changes as authorized changes to all other Domain Controllers, including physical ones.

When Active Directory’s integrity is gone, it’s Game Over for 9/10 organizations.

 

Addressing the vulnerability

VMware addressed the vulnerabilities in the following versions:

  • For ESXi 8.0, versions ESXi80U2sb-23305545 and up are no longer vulnerable
  • For ESXi 7.0, versions ESXi70U3sq-23794019 and up are no longer vulnerable.
  • ESXi 6.5 and ESXi 6.7 do not receive updates to addresses the vulnerability.

 

Concluding

Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2024-0011.

Further reading

Support Content Notification VMSA-2024-0011 – Support Portal
VMware finally addresses privilege escalation vulnerability in vCenter Server
VMSA-2022-0030 updates for VMware ESXi and vCenter Server
VMware ESXi 7.0 Update 3c’s cURL version is vulnerable
VMSA-2021-0014 updates for VMware ESXi and vCenter

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.