[German]A brief flashback to February 2023 – since the beginning of the year, numerous VMware ESXi servers have been hijacked via a known vulnerability that has long since been closed. This VMware ESXi vulnerability has a huge threat potential and there are probably still thousands of unpatched systems. Here is a brief overview again.
Attacks on ESXi servers
Since late January 2023, thousands of VMware servers worldwide have been successfully attacked by a ransomware actor. The French CERT-FR was the first to issue an alert as of February 3, 2023, addressing two vulnerabilities for which VMware has long provided security updates. Here are the relevant VMware security advisories.
- VMSA-2021-0002, dated January 23, 2021, describes several vulnerabilities in VMware ESXi and vCenter Server that have been addressed by updates. Included is the ESXi OpenSLP Heap-Oerflow vulnerability (CVE-2021-21974) with a CVSSv3 value of 8.8. VMware recommended at the time to disable the OpenSLP service in ESXi when not in use.
- VMSA-2020-0023,dated Nov. 24, 2020, describes several vulnerabilities, including in VMware ESXi servers. An ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992, use-after-free) was addressed there (CVSSv3 value of 9.8). A malicious actor who is on the management network and has access to port 427 on an ESXi machine could potentially trigger a use-after-free function in the OpenSLP service that leads to remote code execution.
It is now known that thousands of ESXi servers worldwide have been successfully attacked and infected with ransomware. Security agencies around the world warned of of cyberattack campaigns targeting VMware's ESXi servers. The case shows that negligently maintained software systems pose a potential risk of companies falling victim to cyberattacks.
Unpatched VMware ESXi servers a risk
The following tweet came to my attention the other day – it says, the Swiss cyber security authority sees cyberattacks on ESXi servers as a risk that could have an impact on the entire population and lead to national or even global disruptions.
The article (in German) is available here. Bitdefender also warned of this security threat. Martin Zugec, Technical Solutions Director at Bitdefender, comments:
The attacks on VMware ESXi hypervisors, which exploit the recently [GB: recently in this context means 2021] disclosed CVE-2021-21974 vulnerability with little effort in order to deliver a wide variety of payloads as remote code, have enormous propagation potential. As a result, they are evolving into mass attacks for opportunistic cybercriminals and are a current example of hybrid attacks: In the first phase, the hackers take an automated approach, then evaluate search results, and in the second phase, manually continue to roll out the targeted attack. It is to be expected that many users will use the gap for supply chain attacks in order to attack the actually targeted company via its suppliers.
[…] However, the numerical potential of affected systems is enormous. According to the search results of the openly available Shodan tool, which is also used by hackers, the number of users of a VMware ESXi host is in the tens of thousands. Especially from the old versions before ESXi 7.0, up to 60,000 hosts are visible on the Internet.
Only as of version 7.0 is the OpenSLP service, which opens up the security hole, disabled by default. OpenSLP is also an ideal gateway for taking over hypervisors after hijacking any virtual machine.
Those who want to protect themselves must therefore now resort to basic defensive measures. And that can only be updating to the latest versions of the hypervisors. The general blocking by a firewall of port 427 (TCP/UDP), which OpenSLP uses for its communication, cannot exclude a direct attack by a hacker on a virtual machine. While it is the first defensive measure, it does not provide real security. And the waves of attacks observed now are, moreover, only harbingers of further attacks this year by experienced and advanced groups of cybercriminals."
The problem will continue to be the unpatched and probably unmaintained ESXi installations.
VMware vulnerability CVE-2022-22954 threatened by ransomware, end of support for ESXi 6.5 & 6.7
Cyberattack debacle on VMware ESXi Server; "Recovery Script" for ESXiArgs Ransomware Victims
Windows Server 2022: February 2023 Patchday and the ESXi VM Secure Boot Issue
Windows Server 2022: VMware ESXi 7.0 U3k Patch for Secure Boot Issue (Update KB5022842, Feb. 2023)
Cookies helps to fund this blog: Cookie settings