The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,184 other subscribers

Large (hundreds) CVE-2021-21974 ESXi VMware based ESXiArgs (Nevada?) ransomware attacks

Posted by jpluimers on 2023/02/04 results for query html:"We hacked your company successfully" title:"How to Restore Your Files"[Wayback/Archive] Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.
Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.
“As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” CERT-FR said.
“The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.”
To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven’t yet been updated.
CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise.
CVE-2021-21974 affects the following systems:
  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

[Wayback/Archive] Esxi Ransomware Help and Support Topic (ESXiArgs / .args extension) – Page 2 – Ransomware Help & Tech Support (there are now 4 pages, most victims OVH, likely many more pages to follow)

[Wayback/Archive] How to Disable/Enable the SLP Service on VMware ESXi (76372)

[Wayback/Archive] html:”We hacked your company successfully” title:”How to Restore Your Files” – Shodan Search which resulted in the above image (I tweeted it at [Wayback/Archive] Jeroen Wiert Pluimers on Twitter: “@vmiss33”)

Commands used in [Wayback/Archive] Jeroen Wiert Pluimers on Twitter: “@vmiss33 I did forget to disable SLP on a patched system, but doing that is easy as per

/etc/init.d/slpd status
/etc/init.d/slpd stop
esxcli system slp stats get
esxcli network firewall ruleset set -r CIMSLP -e 0
chkconfig slpd off
chkconfig --list | grep slpd

More links to follow, but I’m away from keyboard for most of the day.


[root@ESXi-X10SRH-CF:~] /etc/init.d/slpd status slpd is running [root@ESXi-X10SRH-CF:~] /etc/init.d/slpd stop Stopping slpd [root@ESXi-X10SRH-CF:~] esxcli system slp stats get SLP Agent not responding, may be shut down, connect uds socket(/var/run/slpd.ctl) failed 2, err= No such file or directory [root@ESXi-X10SRH-CF:~] esxcli network firewall ruleset set -r CIMSLP -e 0 [root@ESXi-X10SRH-CF:~] chkconfig slpd off [root@ESXi-X10SRH-CF:~] chkconfig --list | grep slpd slpd off

Having used OVH in the past it blew my mind that the default management NIC was WAN, as you deploy these things via a provisioning template, and that they include a firewall upstream, the template doesn’t enable it and restrict access to current IP at a minimum.


My RCE PoC walkthrough for (CVE-2021–21974) VMware ESXi OpenSLP heap-overflow vulnerabilityTCP port 427

Service Location Protocol (SLP) is a network service that listens on TCP and UDP port 427 on default installations of VMware ESXi. The implementation VMware uses is based on OpenSLP 1.0.1. VMware maintains its own version and has added some hardening to it. Additionally, VMware now recommends disabling the OpenSLP service in ESXi if it is not used.

How to Disable/Enable the SLP Service on VMware ESXi To implement the workaround perform the following steps:

1 Login to the ESXi hosts using an SSH session (such as putty)       2 Stop the SLP service on the ESXi host with this command: /etc/init.d/slpd stop Note: The SLP service can only be stopped when the service is not in use. Use the following command to view the operational state of Service Location Protocol Daemon: esxcli system slp stats get
3 Run the following command to disable the SLP service: esxcli network firewall ruleset set -r CIMSLP -e 0 To make this change persist across reboots: chkconfig slpd off To check if the change is applied across reboots: chkconfig –list | grep slpd output: slpd o

Port requirements for ESXi


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: