www.belgium.be Logo of the federal government

Warning - Attackers are actively exploiting VMware ESXi servers to deploy ransomware

Référence: 
Advisory #2023-0015
Version: 
1.0
Logiciels concernés : 
VMware ESXi (OpenSLP)
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2021-21974

Date: 
06/02/2023

Sources

VMware - https://www.vmware.com/security/advisories/VMSA-2021-0002.htm

Risques

A successful exploitation of this zero-day vulnerability allows an attacker to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution on your ESXi hypervisors.

Description

Attackers are exploiting ESXi servers worldwide to deploy ransomware. They seem to be abusing CVE-2021-21974 to gain initial access to the ESXi server, which provide them the ability to remotely execute code (RCE) on the exploited system. Once the malware gained access to the vulnerable server, it tries to shut down the virtual machine (VM) by killing the VMX process. Once the VM has been shut down, the malware tries to encrypt the virtual machine files. Be aware that the malware is not always capable to completely shut down the VM, which can result in certain virtual machine files being locked. The locked files are then unable to be encrypted by the malware.

It is very important to perform a full system analysis if you are running a vulnerable version of ESXi, since the the attacker can drop malicious code on your system which can still be executed after updating the ESXi server. The mitigations listed below only fix the initial access vector for the attack, but do not prevent an attacker from running malicious code on a patched ESXi server.

Actions recommandées

The Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:

Immediately deactivate the SLP service on all ESXi hypervisors which have not yet been updated.

NOTE: This wil prevent CIM client from localising CIM servers using the SLP service.

This service can be reenabled after updating the ESXi hypervisors to a non-vulnerable version.

Apply updates to all vulnerable ESXi hypervisors. Be aware that updating an ESXi server must be performed with caution to avoid problems with the continuity of the server.

The following versions of VMware ESXi are vulnerable to CVE-2021-21974:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

 

Références

NVD - https://nvd.nist.gov/vuln/detail/CVE-2021-21974

Mitre - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974

OVHcloud - https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/

VMware - https://kb.vmware.com/s/article/76372