Full Report
Recent attacks leverage CVE-2021-21974 to install ransomware on VMWare ESXi servers. Security teams are advised to patch and stay vigilant for indicators of compromise.
Analysis Summary
# Vulnerability: VMware ESXi Heap Overflow in OpenSLP Leading to RCE (ESXiArgs Ransomware)
## CVE Details
- CVE ID: CVE-2021-21974
- CVSS Score: Information not explicitly provided, but RCE via network access suggests **High** severity.
- CWE: Heap-based Buffer Overflow (Implied by technical details - heap overflow)
## Affected Systems
- Products: VMware ESXi Hypervisor
- Versions:
- ESXi versions `7.x` before ESXi70U1c-17325551
- ESXi versions `6.7.x` before ESXi670-202102401-SG
- ESXi versions `6.5.x` before ESXi650-202102101-SG
- Configurations: Systems where the OpenSLP service is running and exposed to the network (listening on TCP/UDP port 427).
## Vulnerability Description
CVE-2021-21974 is a heap overflow vulnerability residing in the OpenSLP network service, which listens on TCP and UDP port 427 by default on VMware ESXi installations. Successful exploitation allows an unauthenticated, remote attacker who can access port 427 to execute arbitrary code on the underlying ESXi server.
## Exploitation
- Status: **Exploited in the wild** (Used in widespread ESXiArgs ransomware attacks observed since February 3rd, 2023).
- Complexity: **Low** (Requires network access to port 427; known mechanism exploited by attackers).
- Attack Vector: **Network** (Remote Code Execution over port 427).
## Impact
The impact is severe due to active ransomware deployment:
- Confidentiality: **High** (RCE can lead to data exfiltration).
- Integrity: **High** (Ransomware encrypts critical VM files: .vmdk, .vmx, etc.).
- Availability: **High** (Virtual machines are rendered inaccessible due to encryption).
## Remediation
### Patches
The initial patch has been available since February 23rd, 2021. Security teams must ensure they are running versions equal to or later than:
- ESXi `7.x`: ESXi70U1c-17325551 or later.
- ESXi `6.7.x`: ESXi670-202102401-SG or later.
- ESXi `6.5.x`: ESXi650-202102101-SG or later.
### Workarounds
- Disable the OpenSLP service on vulnerable ESXi instances using the appropriate system commands.
## Detection
- Indicators of Compromise (IOCs): Observed IP addresses attempting exploitation (check vendor/security blogs for the specific list observed in Feb 2023).
- Detection Methods and Tools:
- Network monitoring on TCP/UDP port 427 activity directed at ESXi hosts.
- File system artifact checks: Presence of `/tmp/public.pem` or an `argsfile` created by the ransomware.
- VM file integrity monitoring (targets virtual machine files: .vmdk, .vmx, etc.).
- MITRE Techniques observed: T1190 (Exploit Public-Facing Application) using CVE-2021-21974; T1486 (Data Encrypted for Impact).
- CISA released a specific recovery tool named `ESXiArgs-Recover`.
## References
- Vendor Advisory: hxxps://www.vmware.com/security/advisories/VMSA-2021-0002.html
- Tool Availability: hxxps://github.com/cisagov/ESXiArgs-Recover
- Analysis: hxxps://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
- Threat Intelligence: hxxps://viz.greynoise.io/tag/vmware-esxi-openslp-rce-attempt?days=10
- Decryption Assistance: hxxps://enes.dev/