Two CVE’s associated with VMWare ESXi are being exploited in the Wild. One major ransomware gang is abusing vulnerabilities on the ESXi platform to take over virtual machines deployed in enterprise environments by encrypting their virtual hard drives.
CVE’s 2019-5544 and 2020-3992 impact the Service Location Protocol (SLP), used by devices on the same network to discover each other, which is present in ESXi. The vulnerabilities allow an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it. This can occur even if the attacker hasn’t managed to compromise the VMWare vCenter server, which ESXi instances usually report to.
In the attacks last year, the RansomExx gang has been seen gaining access to a device in a corporate network and abusing this initial entry point to attack local ESXi instances and encrypt their virtual hard disks. This is where the virtual machines (VM’s) data is stored. Naturally, this causes disruptions to companies, as ESXi disks are usually utilised for centralising data from multiple systems.
Successful attacks can result in disruption, data corruption, financial loss, and reputational damage to an organisation. In addition to this, cybercrime forums have been advertising access to ESXi instances, which could explain the link to some of the incidents involving ransomware.
It is advised that companies relying on VMWare ESXi to manage the storage space utilised by their virtual machines to apply the necessary patches or disable SLP support to prevent the attacks by ransomware gangs.
The patches can be found here.
A guide to disabling SLP support can be found here, however, this is only recommended if the protocol remains unused.