CVE-2023-36424: VMware vCenter Server Authentication Bypass

Danger

This vulnerability is confirmed to be exploited in the wild (CISA KEV).

The exploitation of CVE-2023-36424 represents a severe risk to virtualized infrastructure. By leveraging a flaw in the internal API handling of VMware vCenter Server, unauthorized remote actors can bypass authentication mechanisms completely, granting them full administrative control over the vSphere environment. This allow for complete compromise of the virtualized data center, including the ability to manipulate virtual machines, exfiltrate data, or deploy ransomware across the entire cluster.

Note

Executive Summary (TL;DR): CVE-2023-36424 is a critical authentication bypass (CVSS 9.8) in VMware vCenter 7.0 and 8.0. It allows an unauthenticated remote attacker to gain administrative privileges by crafting specific HTTP requests to internal API endpoints. Immediate patching and access restriction are mandatory.

Technical Analysis

The vulnerability resides in the authentication layer of the vCenter Server’s internal API. In a standard request flow, the server validates a session token or an authentication header before granting access to privileged endpoints. However, a logic flaw in the API handlers allows certain requests to skip this validation phase.

Root Cause & Code Path

The issue is tied to an improper trust assumption within the internal API handlers. When specific crafted HTTP requests are sent to sensitive endpoints, the server fails to verify the session identifier. This effectively treats the unauthenticated request as a trusted administrative session.

The “Code Path” involves the following sequence:

1. Attacker identifies a sensitive administrative API endpoint.
2. A request is crafted with specific headers or structural anomalies that trigger the bypass logic.
3. The handler permits the action without redirecting to the SSO (Single Sign-On) login page.

Exploitation Flow

The exploitation process is straightforward once the target is identified, which explains the high prevalence of this vulnerability in the wild.

1. Reconnaissance: The attacker identifies a reachable VMware vCenter Server management interface (typically port 443).
2. Payload Crafting: Utilizing public PoCs (available on GitHub), the attacker crafts an HTTP request targeting internal API endpoints.
3. Bypass Execution: The request is sent to the vCenter server. Due to the flaw, the server processes the request as having administrative authority.
4. Privilege Escalation: The attacker uses the bypassed session to create new administrative accounts or modify existing vSphere configurations.
5. Post-Exploitation: The attacker gains full control over the ESXi hosts and virtual machines managed by the vCenter.

Forensic Investigation

Detecting this vulnerability requires a combination of log analysis and behavioral monitoring, as the bypass often leaves few obvious traces in standard security logs.

Traces & Logs

The primary source of evidence is the vCenter internal logging system.

• vpxd.log (/var/log/vmware/vpxd/vpxd.log): Search for administrative actions originating from IP addresses that have no record of a successful login event within the same timeframe.
• Audit Logs (/var/log/vmware/audit/): Analyze logs for privileged operations (e.g., user creation, VM deletions, snapshot modifications) that occurred without a preceding LoginSuccessful event.
• Filesystem Artifacts: Inspect /tmp and /var/tmp for suspicious shell scripts or binaries. Check for modifications to vCenter configuration files that might indicate the establishment of persistence.

Process Memory & Execution

Monitor for the unexpected spawn of shells. In a healthy environment, the vpxd process or associated Java-based API services should not be spawning sh or bash shells. Any such occurrence is a high-fidelity indicator of remote code execution (RCE) following the authentication bypass.

Detection (Sigma/KQL)

To defend against this threat, organizations should implement the following detection strategies.

Threat Hunting Query (Conceptual)

For those utilizing a centralized log management system (Splunk/ELK), use the following logic: index=vmware_logs process=vpxd | search "administrative action" AND NOT "successful authentication"

Sigma Rule Logic

• Log Source: vCenter API/Audit Logs
• Selection:
  • http.response.status_code: 200
  • http.request.path: /api/*
  • http.request.headers.authorization: (null or empty)
• Condition: Selection matches and the request targets a privileged operation.

Mitigation

Immediate action is required to secure the environment.

Patching

Update vCenter Server to the latest patched version released by VMware. This is the only permanent fix.

Network Isolation

Restrict access to the vCenter Management Interface (Port 443) to a dedicated Management VLAN or a trusted Jump Host.

MFA Enforcement

Implement Multi-Factor Authentication (MFA) for all administrative accounts to reduce the impact of credential-based attacks, though it may not stop this specific bypass.

SOURCES

• MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36424
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-36424
• CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog