VMware ESXi 7.0 / 8.0 Authenticaton Bypass (CVE-2024-37085)

2024-06-2800:00:00

www.tenable.com

107

vmware esxi

authenticaton bypass

cve-2024-37085

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.014

Percentile

86.7%

JSON

The version of VMware ESXi installed on the remote host is prior to 8.0 Update 3. It is, therefore, affected by an authentication bypass vulnerability as referenced in the VMSA-2024-0013 advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(201123);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/01");

  script_cve_id("CVE-2024-37085");
  script_xref(name:"VMSA", value:"2024-0013");
  script_xref(name:"IAVA", value:"2024-A-0373");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/08/20");

  script_name(english:"VMware ESXi 7.0 / 8.0 Authenticaton Bypass (CVE-2024-37085)");

  script_set_attribute(attribute:"synopsis", value:
"The remote VMware ESXi host is affected by an authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of VMware ESXi installed on the remote host is prior to 8.0 Update 3. It is, therefore, affected by an 
authentication bypass vulnerability as referenced in the VMSA-2024-0013 advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?04fbf245");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware ESXi 8.0 Update 3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-37085");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/06/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/06/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/06/28");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_vsphere_detect.nbin");
  script_require_keys("Host/VMware/release", "Host/VMware/vsphere", "Settings/ParanoidReport");

  exit(0);
}

# There are workarounds for CVE-2024-37085 via proper account setup, which we will not be checking for.
# We are setting this one to Paranoid for those reasons.
if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

var fixes = make_array(
    '7.0.0', 24022510,
    '7.0.1', 24022510,
    '7.0.2', 24022510,
    '7.0.3', 24022510,
    '8.0.0', 24022510,
    '8.0.1', 24022510,
    '8.0.2', 24022510,
    '8.0.3', 24022510
);

var fixed_display = make_array(
    '7.0.0', '8.0U3 24022510',
    '7.0.1', '8.0U3 24022510',
    '7.0.2', '8.0U3 24022510',
    '7.0.3', '8.0U3 24022510',
    '8.0.0', '8.0U3 24022510',
    '8.0.1', '8.0U3 24022510',
    '8.0.2', '8.0U3 24022510',
    '8.0.3', '8.0U3 24022510'
);

var rel = get_kb_item_or_exit('Host/VMware/release');
if ('ESXi' >!< rel) audit(AUDIT_OS_NOT, 'ESXi');

var port  = get_kb_item_or_exit('Host/VMware/vsphere');

var match = pregmatch(pattern:"^VMware ESXi?o? ([0-9]+\.[0-9]+\.[0-9]+)", string:rel);
if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '7.0 / 8.0');
var ver = match[1];

if (ver !~ "^((7|8)\.0)") audit(AUDIT_OS_NOT, 'ESXi 7.0 / 8.0');

var fixed_build = fixes[ver];

if (empty_or_null(fixed_build)) audit(AUDIT_INST_VER_NOT_VULN, 'VMware ESXi', ver);

match = pregmatch(pattern:"^VMware ESXi?o?.*build-([0-9]+)$", string:rel);
if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '7.0 / 8.0');

var build = int(match[1]);

if (build >= fixed_build) audit(AUDIT_INST_VER_NOT_VULN, 'VMware ESXi', ver + ' build ' + build);

var report = '\n  ESXi version    : ' + rel +
         '\n  Installed build : ' + build +
         '\n  Fixed build     : ' + fixed_display[ver] +
         '\n';

security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);