This week, Broadcom VMware released an update that addresses a vulnerability in ESXi. This vulnerability could be abused to negatively impact the availability of virtual Domain Controllers running on ESXi hosts.
Note:
The vulnerability exists in VMware Cloud Foundation, too.
The vulnerability was responsibly disclosed to Broadcom VMware.
About the DoS vulnerability
The vulnerability that an adversary can abuse to negatively impact the availability of virtual Domain Controllers running on ESXi hosts is a Denial of Service (DoS) vulnerability in the storage controllers on VMware ESXi, Workstation, and Fusion. These controllers have an out-of-bounds read/write vulnerability.
VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1 on VMware Workstation and VMware Fusion, and a CVSSv3 base score of 7.4 on VMware ESXi and VMware Cloud Foundation.
The vulnerability is tracked as CVE-2024-22273.
How an adversary could abuse the vulnerability
An adversary with access to a virtual machine with storage controllers enabled may exploit this issue to create a denial of service condition. In conjunction with other issues, an adversary could even execute code on the hypervisor from a virtual machine.
Workarounds
There are no workarounds available
Responsibly disclosed
Hao Zheng (@zhz) and Jiaqing Huang (@s0duku) from TianGong Team of Legendsec at Qi'anxin Group have responsibly disclosed the vulnerability to Broadcom VMware.
The link to virtual Domain Controllers
Many Active Directory Domain Controllers run as virtual machines on top of VMware ESXi.
Abusing the vulnerability, an adversary can make the ESXi host unavailable from within a virtual machines running on the ESXi host. As virtual Domain Controllers typically run on ESXi hosts that also host other virtual machines, abusing the vulnerability may negatively affect the Active Directory database and Group Policy settings, including replicating these changes as authorized changes to all other Domain Controllers, including physical ones.
When Active Directory’s integrity is gone, it’s Game Over for 9/10 organizations.
Addressing the vulnerability
VMware addressed the vulnerabilities in the following versions:
- For ESXi 8.0, versions ESXi80U2sb-23305545 and up are no longer vulnerable
- For ESXi 7.0, versions ESXi70U3sq-23794019 and up are no longer vulnerable.
- ESXi 6.5 and ESXi 6.7 do not receive updates to addresses the vulnerability.
Concluding
Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2024-0011.
Further reading
Support Content Notification VMSA-2024-0011 – Support Portal
VMware finally addresses privilege escalation vulnerability in vCenter Server
VMSA-2022-0030 updates for VMware ESXi and vCenter Server
VMware ESXi 7.0 Update 3c’s cURL version is vulnerable
VMSA-2021-0014 updates for VMware ESXi and vCenter
Login