Headline
Embattled VMware ESXi Hypervisor Flaw Exploitable in Myriad Ways
It’s not just Internet-accessible hosts that are vulnerable, researchers say.
Security teams working to secure their organizations against a nearly two-year-old vulnerability in VMware’s ESXi hypervisor technology that attackers suddenly began exploiting en masse last week must pay attention to all ESXi hosts in the environment, not just Internet-accessible ones.
That’s the advice of security vendor Bitdefender after it analyzed the threat and discovered that attackers can exploit it in multiple ways.
Two-Year-Old Flaw
The vulnerability in question, CVE-2021-21974, is present in VMware’s implementation of a service delivery protocol in ESXi called Open Service Location Protocol (OpenSLP). The vulnerability gives unauthenticated attackers the ability to remotely execute malicious code on affected systems without any user interaction.
VMware disclosed the vulnerability in February 2021 and issued a patch for it at the same time. Since then, attackers have targeted it heavily and made CVE-2021-29174 one of the most exploited vulnerabilities in 2021 and 2022. On Feb. 3, France’s computer emergency response team warned about bad actors exploiting CVE-2021-21974 to distribute a ransomware variant dubbed ESXiArgs ransomware on ESXi hosts around the world.
The widespread nature of the attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to release a recovery script that victims of ESXiArgs could use to try to recover their systems.
Martin Zugec, technical solutions director at Bitdefender, says though the initial compromise vector remains unknown, a popular theory is that it is via direct exploitation through Internet-exposed port 427. VMware itself has recommended that if organizations cannot patch immediately, they should block access to port 427.
While that measure can slow down an adversary, it does not eliminate risk from the flaw entirely because attackers can exploit the vulnerability in other ways as well, Zugec says. If an organization blocks port 427, for instance, an attacker could still compromise one of the virtual machines running on an ESXi host via any existing vulnerability.
They could then escape the compromised virtual machine to exploit the vulnerability in OpenSLP and gain root access to the host, he says.
Other Ways to Exploit Flaw
“Threat actors can use any existing vulnerability to compromise a virtual machine — whether it’s Linux or Windows-based,” Zugec notes.
A threat actor can also relatively easily buy on the Dark Web access to a previously compromised virtual machine and attempt OpenSLP remote code execution against the hosting hypervisor, he says.
“If successful, the threat actor can gain access not only to the hypervisor host, but also to all other machines running on the same server,” Zugec says. “The OpenSLP exploit in this case would allow a threat actor to escalate their access and move laterally to other — potentially more valuable — machines.”
Zugec says Bitdefender has so far seen no evidence of attackers exploiting the VMware ESXi vulnerability in this manner. But, given the major focus on direct exploitation via port 427, Bitdefender wanted to warn the public about other methods to exploit this vulnerability, he says. In addition to blocking access to port 427, VMware has also recommended that organizations that cannot patch CVE-2021-21974 simply disable SLP where possible.
Shades of WannaCry
Bitdefender said its analysis of the latest attacks targeting CVE-2021-21974 suggest that the threat actors behind them are opportunistic and not very sophisticated. Many of the attacks appear completely automated in nature, from initial scans for vulnerable systems to ransomware deployment.
“We can compare this to WannaCry,” Zugec notes. “While these attacks can reach a wide range of machines, the impact remains limited.”
But more sophisticated threat actors would use the flaw in ESXi to conduct a much larger operation, he says. Initial access brokers, for instance, could deploy a remote Web shell and disable SLP service so other threat actors cannot exploit the same flaw. They could then simply lie in wait for the best opportunity to monetize their access. Potential options could include data theft, surveillance, and cryptojacking.
To fully address the risk of a cyberattack exploiting the VMware vuln, Bitdefender — like VMware and others — recommends that organizations apply the patch for it immediately.
Related news
Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.
Categories: News Categories: Ransomware Tags: ESXi Tags: ESXiArgs Tags: encryption routine The ransomware group behind the massive attack on ESXi Virtual Machines has come up with a new variant that can no longer be decrypted with the existing recovery script (Read more...) The post New ESXiArgs encryption routine outmaneuvers recovery methods appeared first on Malwarebytes Labs.
By Deeba Ahmed The recovery tool is available on GitHub for free. This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
The malware has affected thousands of VMware ESXi hypervisors in the last few days.
By Deeba Ahmed The refutation came days after Europe and North America were rattled by ESXiArgs Ransomware attacks. This is a post from HackRead.com Read the original post: VMware Disputes Old Flaws at Root of ESXiArgs Ransomware Attacks
The global assault on vulnerable VMware hypervisors may have been mitigated by updating to the latest version of the product, but patch management is only part of the story.
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware
The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. (Read more...) The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.