Report: Digital Espionage and Innovation: Unpacking AgentTesla

Search
Close this search box.

Critical RCE and SLP Protocol Vulnerabilities in VMWare

Table of Contents

On 23 February 2021, VMWare announced it patched multiple vulnerabilities in its VMWare vCenter and ESXi products. The vulnerabilities consisted of a critical unauthenticated remote code execution (RCE), server-side forgery request (SSRF), and a heap overflow vulnerability in OpenSLP protocol. VMWare released the 23 February advisory with patch updates as well as workarounds. Additionally, as of the evening of 24 February, multiple exploit proofs of concept (POCs) for one or more of the vulnerabilities were publicly released. Fidelis Threat Intel team strongly advises to ensure the updates or workaround are implemented, due to the potential impact and fallout of the successful compromise. TRT Intel is also aware of ransomware and possible state-sponsored activity that have leveraged vulnerabilities in VMWare products in previous campaigns.

Threat and Technical Data

On 23 February 2021, VMWare announced it patched multiple vulnerabilities in its VMWare vCenter and ESXi products. The vulnerabilities consisted of a critical unauthenticated remote code execution (RCE) (CVE-2021-21972), server-side forgery request (SSRF) (CVE-2021-21973), and a heap overflow vulnerability in OpenSLP protocol as used by ESXi (CVE-2021-21974). The summary of each of the vulnerabilities are as follows:

CVE-2021-21972 – an unauthenticated RCE in vCenter Server (Critical)

CVE-2021-21973 – a SSRF vulnerability in vSphere Client plugin for vCenter, resulting in information disclosure; requires network access to Port 443 (Moderate)

CVE-2021-21974 – Heap overflow in ESXi Service Location Protocol (SLP) over port 427, which may result in RCE (Critical)

The vulnerabilities were initially discovered, and reported to VMWare, in October 2020. VMWare acknowledged and began working to remedy the issue which was completed in February 2021. Official technical details of any proofs of concept (POCs) were withheld from the public until 24 February when two POCs were dropped onto GitHub, after which a technical paper by researchers at security firm PTSwarm was also released.

Conclusion & Assessment

Fidelis Threat Intel Team has previously identified vulnerabilities in VMWare products, including CVE-2020-4006, as priority vulnerabilities which may pose a high-risk to organizations running unpatched or insecure installations. This and other vulnerabilities in various VMWare including ESXi (over SLP), vIDM, and vAccess have been known to be leveraged by state-sponsored/employed groups as well as by ransomware affiliated campaigns. In addition to segregating and/or securing management consoles from VM instances and disabling unused ports and protocols where possible, it is advised to also implement the updates or workarounds provided by the vendor in the recent security advisory released on 23 February. TRT Intel will continue to strive to provide proactive, risk-based assessments and indications and warnings of trending and emerging vulnerability threats to organizations.

References

About Author

Rami Mizrahi

Rami Mizrahi is the Vice President of Research and Development for Deception at Fidelis Security. He has been leading the Deception R&D team for over six years, since the inception of TopSpin Security and through the acquisition by Fidelis Security. Prior to that, he led the WAF development team at Breach Security. Rami has over 20 years of experience in software development, specializing in enterprise security.

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.