Part 55: HOW TO: Check if you have compromised your VMware ESXi 7.0 Hosts if you have added them to Microsoft Active Directory

This video was created in response to Experts Exchange members asking the question “have I compromised my ESXi host be adding to AD?”

In this video presentation which is part of the Hancock’s VMware Half Hour I will show you HOW TO: Check if you have compromised your VMware ESXi 8.0 Hosts if you have added them to Microsoft Active Directory.

In this video demonstration the ESXi servers are ESXi 8.0.3, which have the “fix” detailed below

Secure Default Settings for ESXi Active Directory integration

To demonstrate the differences between a compromised and non-compromised server, I have deliberately changed the default settings on esxi002.cyrus-consultants.co.uk, so the server can be compromised.
HOW NOT TO: Compromise your VMware vSphere Hypervisor ESXi 5.1, 5.5, 6.0, 6.5, 6.7, 7.0, 8.0 by adding to Microsoft Active Directory

On the 29th July 2024, Microsoft discovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.

this publication is here – https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

VMware vExperts – Christian Mohn wrote about it here – VMware vSphere CVE-2024-37085 – A Nothing Burger

and Bob Plankers goes into more detail here – Thoughts on CVE-2024-37085 & VMSA-2024-0013

Please have a read of these publications.

Broadcom have issued updates and fixes to vSphere 7.0 and 8.0, and VCF 4.x and 5.x only. There is no security update for 6.7.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505

Post to Twitter

Tags: , , , ,