On November 6, 2020 Microsoft’s Kevin Beaumont alerted the community to evidence of active exploitation attempts of CVE-2020-3992 and/or CVE-2019-5544, which are remote code execution (RCE) vulnerabilities in VMware ESXi’s service location protocol (SLP) service. VMware had issued a patch for this weakness on October 20, 2020 but said patch failed to effectively handle this vulnerability and an update to the patch was released on November 4, 2020.
Any organization that has not applied this second patch and has VMware ESXi management ports exposed beyond a management network is at risk of having, in Kevin’s words “[r]ansomware groups …bypass[ing] all Windows OS security, …shutting down VMs and encrypting the VMDK’s directly on hypervisor.” effectively making this a potential virtual data center-wide ransomware event.
Before reading on, Rapid7 advises all VMware ESXi users to ensure they have the second patch applied to their systems as quickly as possible. If at all possible, please don’t wait for your typical patch cycle to apply these ESXi security updates. If patching is not possible, the following section references potential workarounds until a patch can be applied. Further analysis is available in AttackerKB.
ESXi SLP vulnerability information
VMware noted that the following versions are affected:
- ESXi 7.0
- ESXi 6.7
- ESXi 6.5
- VMware Cloud Foundation (ESXi) 4.x
- VMware Cloud Foundation (ESXi) 3.x
As noted in their knowledge base article, a workaround is available and requires:
Stopping the SLP service via:
esxcli system slp stats get
to determine if the service is not in use (it must be quiescent to stop).
Then, run the following two commands to disable the SLP service and ensure the change survives a reboot:
esxcli network firewall ruleset set -r CIMSLP -e 0 chkconfig slpd off
The setting can be validated by running:
chkconfig --list | grep slpd
and receiving a
slpd off message.
The KB article has information on reactivating the service.
You must either apply the patch or perform the mitigation if your ESXi management network is not on an isolated network segment.