A two-year-old heap overflow vulnerability in VMware ESXi hypervisors seems to have come to the attention of a ransomware operator that is targeting unpatched systems indiscriminately in what has the potential to become a serious incident, and may already have claimed more than 300 victims, according to warnings.
Tracked as CVE-2021-21974, the vulnerability exists in how VMware ESXi processes service location protocol (SLP) messages, and stems from a lack of validation over the length of user-supplied data before copying it to a heap-based buffer. If left untreated, it allows an unauthenticated attacker to execute arbitrary
In an alert issued immediately prior to the weekend of 4-5 February, France’s national Computer emergency response team (CERT), CERT-FR, said: “On 3 February 2023, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them. These attack campaigns seem to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since 23 February 2021.
“CERT-FR recommends applying without delay the workaround proposed by the publisher…which consists of disabling the SLP service on ESXi hypervisors that have not been updated. CERT-FR strongly recommends applying all patches available for the ESXi hypervisor.”
However, CERT-FR added, applying a patch along may not be enough as an attacker may well have already exploited the vulnerability to drop malicious code, so defenders should also run a full system scan at the same time.
Systems targeted by the attacker in the campaign observed by CERT-FR are versions 6.x up to 6.7 of the ESXi hypervisor. However, ESXi 7.x earlier than ESXi70U1c-17325551; ESXi 6.7.x earlier than ESXi670-202102401-SG; and ESXi 6.5.x earlier than ESXi650-202102101-S, are also known to be vulnerable.
Andy Norton, European cyber risk officer at Armis said: “The ongoing VMware ESXi Ransomware attack is a major global incident. The potential negative impact for entities who are exposed is high and all VMWare ESXi users are strongly encouraged to take prompt action.
“The majority of impacted entities are spread across Europe. Speculation still surrounds who the bad actors ultimately are in this case…however, the good news is there is an active fix for the vulnerability.”
As with any vulnerability affecting VMware’s ESXI lines, CVE-2021-21974 carries a higher than average potential for disruption because of the sheer volume of other applications and systems that it can be used to access. Those that missed the 2021 advisory or decided not to patch must now do so without fail.
The ransomware in question seems to be a new strain that has been dubbed ESXIArgs, and according to some early analysis, may be based on leaked Babuk source code. Analysts at OVHCloud, who have also been tracking the campaign, said that in some cases process by which ESXIArgs encrypts its victims’ files has been seen to partially fail, meaning it may be possible to recover data in some instances.
Stefan van der Wal, EMEA consulting solutions engineer for application security at Barracuda Networks, commented: “This highlights how important it is to update key software infrastructure systems as quickly as possible. It isn’t aways easy for organisations to update software. In the case of this patch, for example, organisations need to disable temporarily essential parts of their IT infrastructure. But it is far better to face that than to be hit by a potentially damaging attack.
“Virtual machines can be attractive targets for ransomware since they often run business-critical services or functions – and a successful attack could cause extensive disruption. It is particularly important to ensure that access to a virtual system’s management console is secured and can’t be easily accessed through a compromised account on the corporate network, for example.
“To fully protect virtual infrastructure, it is important to segregate it from the rest of the business network, ideally as part of a zero-trust approach. Organisations deploying ESXi should update immediately to the latest version, if they haven’t already done so – and do a full security scan of the servers to ensure they haven’t been compromised,” said van der Wal.
