VMware addresses ‘ESX Admins’ authentication bypass vulnerability (CVE-2024-37085) in ESXi 8.0 Update 3

Reading Time: 2 minutes

Today, Broadcom issued a second update to VMSA-2024-003 for VMware ESXi, specifically to address the vulnerability CVE-2024-37085. This vulnerability, with a CVSSv3 base score of 6.8 out of 10 (Moderate), allowed an adversary with sufficient Active Directory permissions to gain full access to ESXi hosts.

 

About the vulnerability

For an adversary to abuse this vulnerability;

  • The ESXi host(s) need to be configured with default settings;
  • The ESXi host(s) need to be configured to use Active Directory for user management, and;
  • The adversary needs to have sufficient permissions in Active Directory Domain Services, to either;
    • Recreate the ‘ESX Admins’ group when it was previously deleted or renamed, or;
    • Add one or more accounts to the ‘ESX Admins’ group.

If the above three conditions were met, and the permissions in Active Directory pertain to the same Active Directory to which the ESXi host(s) are configured towards, the adversary would gain full access to the ESXi host(s).

Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto from Microsoft reported this issue to Broadcom.

 

About the fix

Broadcom VMware addressed the vulnerabilities in ESXi version 8.0 Update 3 ISO Build 24022510, released on June 25th, 2024.

Broadcom VMware did not address the vulnerability in ESXi version 7.0 and has no patch planned for these versions, even though Broadcom extended support on these versions to October 2025 (was: April 2025). For version 7.0 of ESXi, Broadcom offers a workaround for ESXi hosts already configured for Active Directory user management.

This workaround entails removing the default access for the ‘ESX Admins’ group to ESXi hosts, using the following esxcli command:

esxcli system permission unset -i 'DOMAIN\esx^admins' –group

Replace DOMAIN with the sAMAccountName of the Active Directory domain the ESXi host is configured to for user management.

These settings take effect within a minute. A reboot is not required.

 

Concluding

Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2024-0013.

If this is not feasible, apply the workaround.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.