What is the VMware ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)?
A new heap-overflow vulnerability (CVE-2021-21974) has been discovered in the VMware ESXi OpenSLP service. This vulnerability allows attackers to execute arbitrary code and take control of the affected system, posing a serious threat to organizations that use VMware’s ESXi to manage their virtual infrastructure.
On February 3rd, 2023 the cloud hosting provider OVH notified the security community of an active ransomware campaign affecting many of their ESXi customers (sometimes referred to as “ESXiArgs” because the ransomware creates files with an extension of .args). As of the publishing of this article, no CVE is being concretely attributed as the initial access vector for the ESXiArgs campaign by first-party sources.
VMware ESXi enables organizations to consolidate their server resources and reduce costs. The OpenSLP service provides location information for services within the virtual infrastructure, making it a critical component of the overall system. The heap-overflow vulnerability in this service makes it possible for attackers to execute arbitrary code, leading to the complete compromise and takeover of the affected system.
What the Banyan Research Lab has Observed
Banyan Security’s Research Lab has consistently found IT-approved systems with misconfigurations which allow for unauthorized and unwanted access, as well as non-IT-approved servers and network access points. Banyan’s Discover and Publish functionality discovers shadow IT devices and systems with open ports, enabling policies to be created that lock down access.
In light of this vulnerability, organizations should take immediate action to protect their virtual infrastructure. While patching is an important step, it may not be enough to ensure complete security.
What To Do Next About the VMware ESXi OpenSLP Vulnerability
Next steps for remediation depend on how the system is being accessed. If using a full-tunnel Layer 3 VPN, this access may be disabled. This would be disruptive for end users; however, not shutting the system down right away would allow for a more thorough investigation if a breach is suspected, collecting forensic information of a live system to take further steps or track down bad actors. For organizations with ZTNA, access to very specific ports should be configured. This CVE uses port 427 (which is not a common port to expose). Logical segmentation of this system would further secure the system from attacks based on that and other unnecessarily opened ports. This type of segmentation can be done using the ZTNA solution and would not require any changes to the system itself while it is under investigation. Any changes to the system may reveal to the attacker that the attack has been discovered.
A modern solution will also be able to give visibility into which user from which device is attempting to access the compromised system using the port related to the exploit. This visibility can be used to report on policies that are too permissive and users/devices that may be affected by malware.
As Ransomware-as-a-Service (RaaS) grows, the number of attacks will continue to grow. The FBI’s Internet Crime Complaint Center received 3,729 complaints about ransomware attacks in 2021, an increase of over 70% from 2020. Unprotected and unpatched systems are the low-hanging fruit that attackers often focus on, but can also be the easiest for organizations to remediate.
Visit us to learn more about how Banyan can protect your organization.