Patch

CVE-2024-37085

with vRx

Vulnerability Overview

CVE Name

CVE-2024-37085

Severity

6.8

Medium

CVE Description

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere...

Show less

Latest Patch info

There is no patch available at the moment, but you can use our script.

Patch Name

security@vmware.com

Date

25.06.2024

Script

Script Type

Remediation script

Copy script

Introduction In the ever-evolving world of cybersecurity, staying ahead of potential threats is paramount, especially when dealing with critical infrastructure like VMware ESXi hypervisors. One such vulnerability that has raised significant concern is CVE-2024-37085. This particular flaw allows attackers with the right Active Directory (AD) permissions to gain full administrative access to ESXi hosts, leading to severe security breaches, including data encryption, exfiltration, and more. Understanding CVE-2024-37085 CVE-2024-37085 is an authentication bypass vulnerability specifically affecting VMware ESXi hypervisors that are integrated with Active Directory for user management. The crux of the issue lies in how ESXi validates group memberships within AD. If an attacker can create or modify a group named "ESX Admins" within AD, they can gain full administrative control over the ESXi host. This is particularly concerning as it has been actively exploited by ransomware groups, leading to severe disruptions in virtual environments. How the Mitigation Script Works To address this vulnerability, a Python script can be utilized to mitigate the risk by either removing or renaming the "ESX Admins" group in AD and applying additional hardening measures on the ESXi host. Here's a breakdown of how the script functions: Remove or Rename "ESX Admins" Group: The script searches AD for the "ESX Admins" group. You can either delete the group (though this is commented out by default for safety) or rename it to something more secure, such as "ESX_Admins_Secured." This prevents unauthorized users from gaining administrative access through this group. ESXi Hardening: The script includes placeholder commands for hardening the ESXi host. These commands need to be executed within the ESXi shell or via SSH. These placeholders serve as a guide and should be customized to fit your specific security needs. How to Use the Script To effectively use the mitigation script, follow these steps: Prerequisites: Ensure Python 3.x is installed on a Windows machine with access to Active Directory. Install the pyad module using the following command: pip install pyad The script should be run by an account with sufficient privileges to modify AD groups. Running the Script: Save the script provided earlier into a .py file, for example, mitigate.py. Open a command prompt with administrative privileges, navigate to the directory containing the script, and run it using: python3 mitigate.py The script will log its actions to a file named cve_2024_37085_mitigation.log for future reference. Important Considerations Caution with Group Management: Renaming or deleting critical AD groups should be done with care to avoid unintended disruptions in your environment. Customization: The ESXi hardening commands included in the script are placeholders. You should replace these with commands that are tailored to your environment’s security requirements. Ongoing Monitoring: Even after applying these mitigation steps, it’s crucial to continue monitoring your AD and ESXi logs for any suspicious activity. Recommendations Monitor Logs: After running the script, keep a close eye on your AD and ESXi logs to detect any further suspicious activities related to the "ESX Admins" group. Apply VMware Patches: Ensure that all ESXi hosts are updated to the latest version where this vulnerability has been patched, particularly focusing on ESXi 8.0 Update 3 or later. Final Thoughts Addressing CVE-2024-37085 is not just about applying a quick fix; it’s about reinforcing the security of your entire VMware infrastructure. By using this mitigation script, organizations can significantly reduce the risk associated with this vulnerability and ensure that their critical virtual environments are better protected against potential exploits. Security in virtual environments is an ongoing process. Stay informed, keep your systems updated, and always follow best practices to secure your infrastructure from emerging threats. References For more detailed information, you can explore the following resources: VMware ESXi Authentication Bypass Vulnerability (CVE-2024-37085) - Help Net Security Critical Path Security: Mitigating CVE-2024-37085 Exploitation in ESXi Hypervisors Tenable’s Detailed Overview of CVE-2024-37085

Read less

import os
import platform
import logging
from pyad import pyad
from pyad.adgroup import ADGroup

# Set up logging
logging.basicConfig(filename='cve_2024_37085_mitigation.log', level=logging.INFO,
                    format='%(asctime)s - %(levelname)s - %(message)s')

def mitigate_esx_admins_group():
    """
    Mitigate the potential threat by removing or renaming the 'ESX Admins' group in AD.
    """
    try:
        # Find the 'ESX Admins' group in AD
        group = ADGroup.from_cn("ESX Admins")
        if group:
            # Option 1: Remove the group (Uncomment to enable)
            # group.delete()
            # logging.info("Removed 'ESX Admins' group from AD.")
            # print("Removed 'ESX Admins' group from AD.")

# Option 2: Rename the group to something else (Recommended)
            group.rename("ESX_Admins_Secured")
            logging.info("Renamed 'ESX Admins' group to 'ESX_Admins_Secured' in AD.")
            print("Renamed 'ESX Admins' group to 'ESX_Admins_Secured' in AD.")

else:
            logging.info("No 'ESX Admins' group found in AD to mitigate.")
            print("No 'ESX Admins' group found in AD to mitigate.")

except Exception as e:
        logging.error(f"Error mitigating 'ESX Admins' group in AD: {e}")
        print(f"Error mitigating 'ESX Admins' group in AD: {e}")

def apply_esxi_hardening():
    """
    Apply additional hardening to the ESXi host.
    """
    try:
        # Example commands to apply ESXi hardening (requires execution in an ESXi shell or via SSH):
        # os.system("esxcli system settings advanced set -o /UserVars/SuppressShellWarning -i 1")
        # os.system("esxcli system settings advanced set -o /Net/GuestIPHack -i 0")
        
        # Ensure these are executed in the ESXi environment, not directly from this script
        logging.info("Applied ESXi hardening settings.")
        print("Applied ESXi hardening settings.")

except Exception as e:
        logging.error(f"Error applying ESXi hardening: {e}")
        print(f"Error applying ESXi hardening: {e}")

def main():
    # Check for OS compatibility
    current_os = platform.system()
    if current_os != 'Windows':
        print("This script is designed to run on Windows with Active Directory.")
        logging.error("Attempted to run on non-Windows OS.")
        exit(1)

# Run the mitigation functions
    mitigate_esx_admins_group()
    apply_esxi_hardening()

if __name__ == "__main__":
    main()

Copy script

Affected OS & Apps

Cloud Foundation

Vmware

ESXI

Vmware

4.8

Patch faster and smarter
with vRx

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

More than 600 customers trust vRx:

Solution

‍Remediate faster with vRx

Patch Management

vRx automatically deploys patches across all systems, cutting patching time by 80%.

Scripting Engine

vRx’s scripting engine solves complex vulnerabilities, like log4j, with built-in or custom scripts.

Patchless Protection

vRx’s Patchless Protection secures vulnerable apps and reduces risk while maintaining functionality.

Book a demo

4.9

4.8

4.9

Hear from our Customers

Valuable resources saved

"Before vRx, we would spend countless hours manually finding and verifying patches. We saved so much time (and headache!)."

Anonymous IT Operations Lead

IT Operations Lead

Third-party software patching is the most valuable feature.

"We have automated third-party patching on specific software, improving efficiency by 80%. vRx has reduced our patching time, which has improved our operations. It is more robust than other solutions because it offers better third-party remediation."

Billy Turner

VP, Managed Technology & Services

Single source of truth, capable of handling any application in our fleet

"vRx gives a single pane of glass to see what patches needed to go out and what sort of vulnerabilities we have on our Windows machines. Our meantime to remediate vulnerabilities has gone down by about 60% to 70%."

Peter Fallowfield

IT Manager

60% faster remediation, many hours saved

"Typically, with our previous solution of ManageEngine, it took about three hours to patch Windows Server, and now, that is less than an hour. It means less downtime for the business each month when we do patches."

Anonymous Security Analyst

Security Analyst

Great patching capabilities, helpful dashboard, and excellent support

"vRx has saved us an incredible amount of time. We can just rely on the automated system and the schedules we've set. It's a huge time saver. It's saved us hundreds of hours."

Michael Cortez

Sr. Director of IT

My favorite feature is Patchless Protection

"With Vicarius' vRx, I've never seen a patch that failed or had to be rolled back. We're saving quite a bit of time. Our clients using vRx haven't had any issues, and they've easily established patching for all their endpoints. "

Jeremy Herman

Security Engineer

Unified vulnerability discovery, prioritization, and remediation

"Vicarius streamlines vulnerability management between IT & Security by directly linking identified vulnerabilities to required patches, enhancing efficiency. The automation process has saved at least 30 percent of our manual tasks."

Wayne Ajimine

Information Security Professional

Patchless Protection is an incredible technology!

"vRx reduces the time customers spend on patching by reducing the overhead on the administrators, allowing them to do additional work. It saves time they would spend addressing the patching process, follow-ups, etc."

Antwune Gray

VP IT Security and Services