Learn Pentesting like a Pro!

Share this post

Patch your VMware ESXi now!

pentesting.academy

Patch your VMware ESXi now!

Ransomware attacks are raising against ESXi infrastructure

pentesting.academy
Feb 13
Share this post

Patch your VMware ESXi now!

pentesting.academy

ESXi (short for Elastic Sky X Integrated) is a type-1 hypervisor developed by VMware. It is a bare-metal hypervisor that runs directly on the host machine's hardware to virtualize the operating systems, creating virtual machines (VMs) on a single physical server.

After two years (oh yes! two years) many organizations don’t have patched yet VMWare vulnerability CVE-2021-21974:

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974

Many APTs and cybercriminals are abusing this vulnerability to access corporate networks and attack organizations with a ransomware campaign dubbed as ESXiArgs.

Three basic recommendations the FBI and CISA (US Cybersecurity and Infrastructure Security Agency) published in the advisory are:

  • Update servers to the latest version of VMware ESXi software

  • Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service (Port TCP/427)

  • Ensure the ESXi hypervisor is not exposed to the public internet

Luckily in the worst case scenario, CISA published on February 7th, 2023 the tool to unencrypt the files attacked by the ESXiArgs ransomware campaign:

https://github.com/cisagov/ESXiArgs-Recover

More info:

https://www.cisa.gov/uscert/ncas/alerts/aa23-039a

Thanks for reading Learn Pentesting like a Pro! Subscribe for free to receive new posts and updates.

Share this post

Patch your VMware ESXi now!

pentesting.academy
Comments
TopNew

No posts

Ready for more?

© 2023 pentesting.academy
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing