Large-Scale Ransomware Campaign Exploits a Two-Year-Old VMware Vulnerability

The news media is reporting ransomware attacks using vulnerable VMware ESXi hypervisors exploiting CVE-2021-21974. Attack campaigns are targeting unpatched and internet-exposed instances using CVE-2021–21974, a VMware ESXi OpenSLP HeapOverflow leading to a remote code execution (RCE).

The attack campaigns appear to be exploiting CVE-2021-21974 for which a patch has been available since February 23, 2021. Systems running ESXi versions 7.0, 6.7 and 6.5 are currently being targeted and pose the greatest threat.

What is CVE-2021-21974? In VMware’s advisory, VMSA-2021-0002  for describes CVE-2021-21974 (CVSS 8.8) as letting a “malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

What should organizations do?

1. Identify which ESXi servers are vulnerable in your environment.
2. As an interim solution, system administrators should ensure unpatched ESXi servers are firewalled, with no ports exposed. VMWare is urging users to stop the SLP service on the ESXi host or restrict access to only trusted IP addresses (https://kb.vmware.com/s/article/76372).
3. Apply the latest security patch for ESXi as soon as possible.
4. Immediate report any related security incident to CISA or the FBI.

How can BigFix help?

Organizations using BigFix have the most effective tool for finding vulnerable ESXi systems and remediating CVE-2021-21974. BigFix automates discovery, management, and remediation of all endpoints whether on-premises, mobile, virtual, or in the cloud – regardless of the operating system, location, or connectivity. BigFix Insights for Vulnerability Remediation integrates with leading vulnerability management solutions like Tenable to remediate vulnerabilities faster than any other solution in the market. For more information about HCLBigFix.