In a recent advisory issued by the French CERT Team, it was noted that threat actors are exploiting 2 years old remote code execution vulnerability to deploy a new ransomware that targets the VMware ESxi servers worldwide.
This Critical vulnerability, tracked as CVE-2021-21974, is caused by a heap overflow issue in the OpenSLP service, which could be exploited by unauthenticated cyber criminals in low-level attacks.
In an advisory published at the time, VMware described the problem as an OpenSLP heap overflow vulnerability that could lead to arbitrary code execution. “A malicious actor residing on the same network segment as ESXi and accessing port 427 could trigger a heap overflow issue in OpenSLP, resulting in remote code execution,” the virtualization service provider noted.
While VMware’s first 2021 advisory on the vulnerability said it affected ESXi versions 7.0, 6.7 and 6.5, the attacks appear to affect older build versions as well; Debate also continues as to whether CVE-2021-21974 is the only mechanism through which the exploit occurs.
CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
Administrators should ensure that unpatched ESXi hosts are protected by a firewall and have no exposed ports. VMware’s previous mitigation for the vulnerability required users to 1: log in to ESXi hosts using an SSH session (e.g. Putty); 2 – Stop the SLP service on the ESXi host with this command: /etc/init.d/slpd stop (Note: The SLP service can only be stopped when the service is not in use; users can view the operational status of the Check SLP daemons: esxcli system slp stats get 3: Run this command to disable the service: esxcli
network firewall rule set -r CIMSLP -e 0
It is important to identify the ESXi servers running in your organizations as soon as possible. If you’re on the defending side of the organization, work with your infrastructure teams to take action immediately. Following the proper patching procedures in an urgent manner is the key to protect organizations from becoming a victim of ransomware.
References:
https://thestack.technology/mass-esxi-ransomware-attacks-cve-2021-21974/