Latest Broadcom ESXi vulnerabilities #

Broadcom has disclosed a vulnerability in their ESXi product that involves a domain group that could contain members that are granted full administrative access to the ESXi hypervisor host by default without proper validation.

CVE-2024-37085 is rated medium with CVSS score of 6.8 and allows an attacker with sufficient Active Directory (AD) permissions to bypass authentication.

What is the impact? #

A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. The three ways this can be exploited are:

1. Creating the AD group 'ESX Admins' to the domain and adding a user to it (known to be exploited in the wild)

2.
Renaming another AD group in the domain to 'ESX Admins' and adding a new or existing user to it

3.
Refreshing the privileges in the ESXi hypervisor when the 'ESX Admin' group is unassigned as the management group.

Are updates or workarounds available? #

Product

Version

Fixed Version

Workarounds

ESXi

8.0

ESXi80U3-24022510

KB369707

ESXi

7.0

No Patch Planned

KB369707

VMware Cloud Foundation

5.x

5.2

KB369707

VMware Cloud Foundation

4.x

No Patch Planned

KB369707

How to find potentially vulnerable systems runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

os:ESXi

Additionally, using the runZero VMware integration, use the following query to locate virtual machines running inside VMware, which could be potential sources of exploitation:

source:vmware or source:broadcom

Written by Blain Smith

Blain Smith is a Security Research Engineer at runZero. He spent most of his career in cloud and distributed systems for AAA gaming, entertainment, and networking working on some of the most popular games and systems millions of people play and watch daily. He has given numerous talks at conferences such as TEDx, GopherCon, and P99CONF. His shift into infosec has afforded him the ability to apply his distributed systems and networking knowledge to other industries such as IoT and OT.

More about Blain Smith
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find FortiManager instances on your network
How to find FortiManager instances on your network using runZero
Rapid Response
How to find SolarWinds Web Help Desk services on your network
CISA has announced that CVE-2024-28987 is actively being exploited in SolarWinds' Web Help Desk software. Here's how to find potentially affected...
Rapid Response
How to find SuperMicro BMCs
Supermicro released a vulnerability advisory for a critical CVE that allows for remote code execution (CVE-2024-36435). Here's how to find impacted...
Rapid Response
How to find OpenPrinting CUPS services on your network
Several vulnerabilities within OpenPrinting CUPS potentially allow for remote code execution. Here's how to find impacted assets.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved