VMware ESXi is developed by VMware for deploying and serving virtual computers. OpenSLP (Service Location Protocol) is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration.
OpenSLP, as used in ESXi, has a heap-overflow vulnerability [CVE-2021-21974]. The buffer that can be overwritten is allocated in the heap portion of memory. A malicious actor in the same network segment as ESXi and with access to port 427 can trigger the heap-overflow issue in the OpenSLP service resulting in remote code execution.
Affected Versions
- 7.0 before ESXi70U1c-17325551
- 6.7 before ESXi670-202102401-SG
- 6.5 before ESXi650-202102101-SG
Recommendations
- CISA compiled the ESXiArgs-Recover[1] [2] tool that can recover virtual machines affected by ESXiArgs ransomware attacks.
- Refer to the VMware advisory[3], which outlines how to enable/disable the SLP Service on VMware ESXi[4].
Resources
February 17, 2023: Published.
Feedback
0 comments
Please sign in to leave a comment.