FOCUS FRIDAY: TPRM INSIGHTS ON VMWARE ESXi AUTHENTICATION BYPASS VULNERABILITY

Welcome to this week’s Focus Friday blog, where we dive into high-profile incidents affecting the cybersecurity landscape from a Third-Party Risk Management (TPRM) perspective. This week, we focus on a significant vulnerability in VMware ESXi, identified as CVE-2024-37085, which has been actively exploited by ransomware operators. We will explore the details of this vulnerability, its implications for TPRM professionals, and how Black Kite’s FocusTagsTM can aid in managing these risks effectively.

VMware ESXi Authentication Bypass Vulnerability (CVE-2024-37085)

What is VMware ESXi Authentication Bypass Vulnerability?

CVE-2024-37085 is an authentication bypass vulnerability in VMware ESXi. This medium-severity flaw, with a CVSS score of 7.2 and an EPSS score of 1.18%, allows attackers with sufficient Active Directory (AD) permissions to gain full administrative access to ESXi hosts configured to use AD for user management. It was first discovered by Microsoft security researchers and fixed in ESXi 8.0 Update 3, released on June 25, 2024. The vulnerability has been actively exploited in the wild, particularly by ransomware operators deploying Akira and Black Basta ransomware.

Why Should TPRM Professionals Care About This Vulnerability?

This vulnerability is critical for TPRM professionals because it allows threat actors to gain administrative control over ESXi hypervisors, enabling mass encryption of virtual machines and severe operational disruptions. The exploitation of this vulnerability can lead to significant data loss, unauthorized access to sensitive information, and lateral movement within the network (National Vulnerability Database).

PoC is available, and the vulnerability was published in CISA's Known Exploited Vulnerabilities catalog on July 30, 2024. Due to its inherently exploitable nature, threat actors can readily exploit this vulnerability. The severity of these vulnerabilities is underscored by their potential impact on system integrity and confidentiality. The ESXi hypervisor vulnerability is actively being exploited by ransomware operators such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest.

What Questions Should TPRM Professionals Ask Vendors About This Vulnerability?

1. Have you applied the latest security patches for ESXi hypervisors, specifically ESXi80U3-24022510, ESXi70U3sq-23794019, and VMware Cloud Foundation 5.2?
2. How have you ensured that the "ESX Admins" group in your domain is securely configured and that access to this group is manually denied?
3. What steps have you taken to disable automatic administrative access on ESXi hypervisors using the advanced host setting Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd?
4. How are you monitoring ESXi logs for signs of suspicious full administrative access and configuring these logs to be sent to a SIEM system?

Remediation Recommendations for Vendors

To mitigate the risk associated with CVE-2024-37085, vendors should:

1. Apply Security Patches

Install the latest security patches released by VMware for ESXi hypervisors:

• ESXi80U3-24022510
• ESXi70U3sq-23794019
• VMware Cloud Foundation 5.2
• Async patch to ESXi 7.0 U3q for VMware Cloud Foundation 4.x

2. Risk Reduction Recommendations

1. Validate and Harden "ESX Admins" Group: Ensure the "ESX Admins" group exists in the domain and is securely configured. Deny access manually by changing ESXi hypervisor settings to deny access to the "ESX Admins" group.
2. Disable Automatic Admin Access: Use the advanced host setting Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd to disable automatic administrative access. Assign a different group as the admin group in the ESXi hypervisor.
3. Add Custom Detections: Implement custom detections in XDR/SIEM for new group names and monitor ESXi logs. Configure ESXi logs to be sent to a SIEM system and monitor for signs of suspicious full administrative access.
4. Protect Privileged Accounts: Ensure highly privileged accounts, especially those managing domain groups, are protected. Require Multi-Factor Authentication (MFA) on all accounts, remove MFA exclusions, and enforce MFA always using authenticator apps.
5. Enable Passwordless Authentication: Use methods like Windows Hello, FIDO keys, or Microsoft Authenticator for accounts that support passwordless authentication.
6. Isolate Privileged Accounts: Separate privileged accounts from productivity accounts to protect administrative access.
7. Identify and Protect Critical Assets: Ensure ESXi hypervisors and vCenters are protected with updates, monitoring, and backup plans.
8. Deploy Authenticated Scans: Use SNMP via Microsoft Defender portal to scan network devices like ESXi for vulnerabilities and receive security recommendations.
9. Implement Network Segmentation: Limit the spread of ransomware across virtualized environments by segmenting the network.
10. Conduct Regular Cybersecurity Training: Train staff regularly to recognize phishing attempts and other common attack vectors used by ransomware operators. Ensure robust backup and recovery plans are maintained and regularly tested to restore data in case of an attack.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite's FocusTags provide detailed information about vendors potentially affected by CVE-2024-37085, published on July 31, 2024. TPRM professionals can use these tags to quickly identify at-risk vendors, understand specific assets involved, and streamline risk assessment processes. By leveraging detailed asset information, Black Kite enables a targeted approach to managing the risk posed by this vulnerability, enhancing overall cybersecurity posture.

Timeline for CVE-2024-37085:

Jun 25, 2024 (Tuesday):

• NVD published the first details for CVE-2024-37085. (https://nvd.nist.gov/vuln/detail/CVE-2024-37085)

Jun 26, 2024 (Wednesday):

• This CVE started to trend in security discussions.

Jun 29, 2024 (Saturday):

• Detection for the vulnerability has been added to Nessus (201123)

Jun 30, 2024 (Sunday):

• CVE-2024-37085 is a critical vulnerability in VMware ESXi that poses significant risks to organizations. It has a CVSS score of [insert score if available], is being actively exploited in the wild by [insert threat actor if known], and there are proof-of-concept exploits available. Mitigations, detections, and patches are available, but downstream impacts to other third-party vendors or technology may still occur. (https://cybersecuritynews.com/cyber-security-news-round-up/)

July 29, 2024 (Monday):

• Attacks in the wild have been reported by Threat intelligence | Microsoft Security Blog.?

• The vulnerability is known to be exploited by Black Basta (Linux), Akira (Windows), Storm-1567, Scattered Spider.

July 30, 2024 (Tuesday):

• This CVE started to trend in security discussions.

• The vulnerability is known to be exploited by QakBot, Babuk (Windows), LockBit (MacOS).

• Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Enhancing TPRM Strategies With Black Kite’s FocusTags?

In today’s rapidly evolving cyber threat landscape, staying ahead of vulnerabilities is imperative for robust Third-Party Risk Management (TPRM). Black Kite’s FocusTags? are at the forefront of this challenge, providing essential insights and tools to effectively manage these risks. The value of this tag becomes evident when faced with a critical vulnerability like this in VMware ESXi.

• Real-Time Vulnerability Tracking: Instantly identifying vendors affected by the latest vulnerabilities allows for a swift and strategic response.
• Risk Prioritization: By evaluating both vendor importance and vulnerability severity, FocusTags? help in allocating resources more effectively.
• Informed Vendor Conversations: Facilitate targeted discussions with vendors, focusing on their specific security posture in relation to the identified vulnerabilities.
• Comprehensive Security Overview: With a broad view of the threat landscape, these tags aid in enhancing overall cybersecurity strategies.

Black Kite’s FocusTags?, especially when dealing with the complexities of recent vulnerabilities in diverse systems, offer a streamlined, intelligent approach to TPRM, converting intricate cyber threat data into actionable intelligence. This capability is critical for managing risks efficiently and proactively in an environment where cyber threats are constantly evolving.

By leveraging Black Kite’s FocusTags?, TPRM professionals can enhance their risk management strategies, ensuring a more secure and resilient supply chain in the face of evolving cyber threats.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

• VMware ESXi: CVE-2024-37085, Authentication Bypass Vulnerability in VMware ESXi, VMware Cloud Foundation.
• Gogs: CVE-2024-39930, CVE-2024-39931, CVE-2024-39932, and CVE-2024-39933, Argument Injection Vulnerability in Gogs.
• Internet Explorer: CVE-2012-4792, Use-After-Free Vulnerability in Internet Explorer.
• Docker AuthZ: CVE-2024-41110, AuthZ Bypass and Privilege Escalation Vulnerability in Docker.
• JumpServer: CVE-2024-40628, CVE-2024-40629, Sensitive Information Disclosure and RCE Vulnerability in JumpServer.
• Serv-U FTP: CVE-2024-28995, Directory Traversal Vulnerability in SolarWinds Serv-U.

• Microsoft SharePoint: CVE-2024-38094, Remote Code Execution Vulnerability in Microsoft SharePoint.
• Citrix NetScaler: CVE-2024-6235, Information Disclosure Vulnerability in Citrix NetScaler.
• ServiceNow: CVE-2024-4879, Input Validation Vulnerability in ServiceNow.
• Exim Mail: CVE-2024-39929, Security Restriction Bypass Vulnerability in Exim Mail Servers.
• GeoServer: CVE-2024-36401, Eval Injection and RCE Vulnerability in GeoServer.
• PHP-CGI: CVE-2024-4577, OS Command Injection Vulnerability in PHP-CGI Module.
• Microsoft MSMQ: CVE-2024-30080, Use After Free, Remote Code Execution Vulnerability in Microsoft Message Queuing (MSMQ).
• Rejetto HFS: CVE-2024-23692, Template Injection Vulnerability, Unauthenticated RCE Vulnerability in Rejetto HTTP File Server

References

https://nvd.nist.gov/vuln/detail/CVE-2024-37085

https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

https://www.bleepingcomputer.com/news/microsoft/microsoft-ransomware-gangs-exploit-vmware-esxi-auth-bypass-in-attacks/

https://www.helpnetsecurity.com/2024/07/30/cve-2024-37085-exploited/

https://feedly.com/cve/CVE-2024-37085

https://cybersecuritynews.com/cyber-security-news-round-up/