Cyber Threats, Zero Networks Labs

CVE-2024-37085: How RPC Firewall Can Stop the VMware ESXi Vulnerability

Published August 02, 2024 by Sagie Dulce

The recent discovery of CVE-2024-37085, a critical vulnerability in VMware ESXi hypervisors, has sent shockwaves through the cybersecurity community. Microsoft's security researchers have observed multiple ransomware groups actively exploiting this flaw to gain full administrative access to domain-joined ESXi hypervisors. However, there's a powerful tool that could have prevented these attacks: Zero Networks' RPC Firewall. 

Understanding the Vulnerability 

CVE-2024-37085 is an authentication bypass vulnerability that allows attackers with sufficient Active Directory permissions to gain full access to an ESXi host. The flaw stems from how ESXi hypervisors handle domain group permissions: 

  1. ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. 
  2. This group is not built-in and doesn't exist by default in Active Directory. 
  3. ESXi hypervisors don't validate the group's existence when joined to a domain, still granting full admin access to members of a group with this name, even if it didn't originally exist. 

Exploitation in the Wild 

Microsoft researchers have observed several ransomware groups, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, exploiting this vulnerability. In one notable incident, attackers used the following steps:

  1. Gained initial access via a Qakbot infection. 
  2. Exploited a Windows CLFS vulnerability (CVE-2023-28252) for privilege escalation. 
  3. Used Cobalt Strike and Pypykatz to steal domain administrator credentials. 
  4. Created the 'ESX Admins' group in the domain and added a new user account to it.
  5. Encrypted the ESXi file system, impacting hosted virtual machines.

How RPC Firewall Could Have Prevented the Attack 

Zero Networks' RPC Firewall is a powerful tool that could have effectively blocked the exploitation of CVE-2024-37085. Here's how:

  1. Blocking Critical RPC Calls: Once the RPC Firewall is in protection mode it will block any unsanctioned RPC activity, including the command 'net group "ESX Admins" /domain /add', which uses the MS-SAMR RPC call SamrCreateGroupInDomain
  2. Preventing Directory Modifications: By blocking remote changes to Active Directory, RPC Firewall prevents a crucial step in the exploitation process. 
  3. Alerting on Suspicious Activity: The firewall would alert administrators to unauthorized attempts to modify Active Directory, enabling early detection of attack attempts. 
  4. Complementary Protection: The open-source LDAP Firewall component provides additional security by blocking Add/Modify operations in the directory via the LDAP protocol. 

RPC Firewall blocks AD group addition/manipulation

Broader Implications and Best Practices 

Modifying directory objects as part of a vulnerability is nothing new. For example, in 2021 two CVEs (CVE-2021-42278 & CVE-2021-42287) were used to allow domain escalation from a standard user, in an attack dubbed sAMAccountName spoofing. So while CVE-2024-37085 specifically affects VMware ESXi, the principle of protecting Active Directory against remote changes is broadly applicable. This approach can prevent similar attacks in the future, even before specific vulnerabilities are discovered or patched. To enhance your organization's security posture: 

  1. Implement tools like RPC Firewall to protect against unauthorized Active Directory modifications. 
  2. Apply VMware's security updates promptly. 
  3. Follow Microsoft's recommendations for mitigating the risk of exploitation. 
  4. Regularly audit and restrict Active Directory permissions. 
  5. Implement network segmentation to limit the potential impact of breaches. 

By combining these practices with powerful tools like RPC Firewall, organizations can significantly reduce their vulnerability to attacks that exploit Active Directory integration, even in complex environments like those using VMware ESXi hypervisors.  

Proactive security measures that focus on protecting critical infrastructure components are key to staying ahead of evolving cyber threats. Request a demo to see how RPC Firewall can proactively protect your network against CVEs →