Large (hundreds) CVE-2021-21974 ESXi VMware based ESXiArgs (Nevada?) ransomware attacks
Posted by jpluimers on 2023/02/04
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.“As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” CERT-FR said.“The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.”To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven’t yet been updated.CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise.CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
[Wayback/Archive] Esxi Ransomware Help and Support Topic (ESXiArgs / .args extension) – Page 2 – Ransomware Help & Tech Support (there are now 4 pages, most victims OVH, likely many more pages to follow)
[Wayback/Archive] How to Disable/Enable the SLP Service on VMware ESXi (76372)
[Wayback/Archive] html:”We hacked your company successfully” title:”How to Restore Your Files” – Shodan Search which resulted in the above image (I tweeted it at [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “@vmiss33”)
Commands used in [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “@vmiss33 I did forget to disable SLP on a patched system, but doing that is easy as per kb.vmware.com/s/article/76372“:
/etc/init.d/slpd status/etc/init.d/slpd stopesxcli system slp stats getesxcli network firewall ruleset set -r CIMSLP -e 0chkconfig slpd offchkconfig --list | grep slpd
More links to follow, but I’m away from keyboard for most of the day.
–jeroen
![[root@ESXi-X10SRH-CF:~] /etc/init.d/slpd status slpd is running [root@ESXi-X10SRH-CF:~] /etc/init.d/slpd stop Stopping slpd [root@ESXi-X10SRH-CF:~] esxcli system slp stats get SLP Agent not responding, may be shut down, connect uds socket(/var/run/slpd.ctl) failed 2, err= No such file or directory [root@ESXi-X10SRH-CF:~] esxcli network firewall ruleset set -r CIMSLP -e 0 [root@ESXi-X10SRH-CF:~] chkconfig slpd off [root@ESXi-X10SRH-CF:~] chkconfig --list | grep slpd slpd off](https://web.archive.org/web/20230204113333im_/https://pbs.twimg.com/media/FoHpmfKWYAADCDn?format=png&name=900x900)
Having used OVH in the past it blew my mind that the default management NIC was WAN, as you deploy these things via a provisioning template, and that they include a firewall upstream, the template doesn’t enable it and restrict access to current IP at a minimum.
CVE-2021-21974
https://www.google.com/search?q=CVE-2021-21974
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
https://core.vmware.com/security-configuration-guide
https://github.com/Shadow0ps/CVE-2021-21974
https://github.com/straightblast/My-PoC-Exploits/blob/master/CVE-2021-21974.py
https://straightblast.medium.com/my-poc-walkthrough-for-cve-2021-21974-a266bcad14b9
My RCE PoC walkthrough for (CVE-2021–21974) VMware ESXi OpenSLP heap-overflow vulnerabilityTCP port 427
Service Location Protocol (SLP) is a network service that listens on TCP and UDP port 427 on default installations of VMware ESXi. The implementation VMware uses is based on OpenSLP 1.0.1. VMware maintains its own version and has added some hardening to it. Additionally, VMware now recommends disabling the OpenSLP service in ESXi if it is not used.
https://kb.vmware.com/s/article/76372
How to Disable/Enable the SLP Service on VMware ESXi To implement the workaround perform the following steps:
1 Login to the ESXi hosts using an SSH session (such as putty) 2 Stop the SLP service on the ESXi host with this command: /etc/init.d/slpd stop Note: The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of Service Location Protocol Daemon: esxcli system slp stats get
3 Run the following command to disable the SLP service: esxcli network firewall ruleset set -r CIMSLP -e 0 To make this change persist across reboots: chkconfig slpd off To check if the change is applied across reboots: chkconfig –list | grep slpd output: slpd o
Port requirements for ESXi
The Wiert Corner - irregular stream of stuff 
Leave a Reply