A recently exploited “vulnerability” within VMware’s ESXi hypervisor, in versions before ESXi 8.0 U3, enables attackers to gain system administrator access on targeted servers. To summarize, with the ESXi servers joined to an Active Directory domain, if a domain group titled “ESX Admins” is created, all members of this group are granted full administrative rights to those ESXi servers.
“Vulnerability” is in quotes because this was actually a feature that was added to the hypervisors roughly 12 years ago as a convenience and only recently removed from current releases. This function has become weaponized and Broadcom has released updates to resolve the issue, but it is worth reviewing the challenges that come with truly securing the hypervisor.
The ESX hypervisor has become a higher target over the years, because once you gain control of the hypervisor, you can control all the workloads running on that server, whether it be to install ransomware and demand payment to remove it, crashing the server, or just old-fashioned theft of the data on the server. The current attack method is more complex, as you have to compromise the directory structure and have sufficient privileges to add domain groups and users, but other attacks have directly gone after the hypervisor successfully. Protecting these hypervisors requires applying Zero Trust, identity and access management, and endpoint detection and response (EDR) principles within your infrastructure. These principles are based on the following issues:
- What devices can access the hypervisor? Not every endpoint within your enterprise should be able to communicate with these servers. Unrestricted access can allow an attacker to take over any other device or, through network infiltration, add their own device and target the hypervisors directly. Proper network segmentation and access controls can ensure that only authorized devices can access the hypervisors themselves, even if someone has used this vulnerability to elevate privileges or has hijacked an administrative account.
- Do you require MFA for all administrator access and changes? Once inside the enterprise or past the login process, too often we find that the requirements for multifactor authentication (MFA) are lessened, and this can allow an unauthorized user to make changes to or access systems if they’ve been able to obtain a directory account with the right permissions. MFA, especially for changes to core systems and when controlling rights management, can help reduce the likelihood that an attacker can access core systems like the hypervisors.
- Are you monitoring for anomalous behavior on your hypervisors? Much of the focus of EDR was put onto desktops as well as traditional server workloads like Windows Server, because that is where most users work and where a majority of attacks are focused. But malicious actors are targeting everything they can find, and that means security practitioners need to take the principles of EDR — watching for unusual activity, analyzing it, determining what kind of malicious action is taking place, and responding appropriately — and apply them to these core components of the infrastructure, especially when those systems cannot accept the installation of an EDR agent/sensor.
As much as cloud infrastructure has become a part of many businesses, the use of local hypervisors isn’t going away, and it’s critical that you reduce the likelihood of a compromise by increasing the security of systems surrounding this core piece of your enterprise. Forrester’s technology infrastructure and security & risk analysts can provide guidance and insight to help you understand your options, so feel free to schedule an inquiry to discuss further.
