Friday, February 17th, 2023
ESXi Vulnerability Simplified: What You Need to Know
Security teams around the world are working to secure their environments against the vulnerability in VMware’s ESXi hypervisor technology that cyber criminals are actively exploiting en masse, with some launching ransomware attacks on victim organisations. This vulnerability is nearly 2 years old, making CVE-2021-29174 one of the most exploited vulnerabilities in 2021 and 2022. Recent attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to release a recovery script that victims of ESXiArgs could use to recover their systems. The vulnerability can be found in OpenSLP as used in ESXi and is a heap-overflow vulnerability. A malicious actor who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
CVE-2021-21974 affects the following systems:
● ESXi versions 7.x prior to ESXi70U1c-17325551
● ESXi versions 6.7.x prior to ESXi670-202102401-SG
● ESXi versions 6.5.x prior to ESXi650-202102101-SG
The vulnerability is associated with the following Common Weakness Enumeration (CWE) categories:
● Buffer overflow
● Incorrect calculation of buffer size
● Buffer access with incorrect length value
Is this vulnerability a serious problem?
The fundamental element of this vulnerability is a service discovery protocol called the Service Location Protocol (SLP). The SLP service on ESXi hosts parses network input without authentication and runs as root. What makes this dangerous is its widespread use, low attack complexity, no authentication requirement, and no user interaction.
The French national government computer security incident response team (CERT-FR) has released an announcement that it became aware of attack campaigns targeting ESXi hypervisors to deploy ransomware on February3rd and so far the ESXiArgs ransomware campaign has succeeded at compromising thousands of servers running VMware’s ESXi hypervisor. Attackers accessing port 427 on the same network as ESXi can execute remote code, leading to a ransomware attack. The fastest mitigation for Internet-exposed hosts is to block access to port 427
Admins must disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven’t been updated to prevent incoming attacks. We recommend applying the patch as soon as possible. However, systems that remain unpatched must be scanned for signs of compromise. For more comprehensive measures, we recommend implementing the following:
● Implement a 24/7 monitoring capability
● Create alerts on account modifications, enabling of services, and authentication patterns
● Enable multi-factor authentication and enforce it on high-privileged accounts
● Disable SSH and Shell access to ESXi. However, if they must be enabled, consider setting timeouts and enabling key-only authentication
● Implement network segmentation for the ESXi management network
● Minimise the number of open ESXi firewall ports, and use vSphere Client, ESXCLI, or PowerCLI commands to check and manage the status of ports
● Ensure that software, drivers, and other components of ESXi are legitimate and enable Secure Boot on ESXi to perform validation of the components at boot time
● Install and configure Trusted Platform Module 2.0 chips for effective VMware-supported method of ensuring the integrity of software components on the system
● Prohibit code execution inside ESXi with VMkernel.Boot.execInstalledOnly