OpenSLP & ESXi Heap-Overflow [CVE-2021-21974]

VMware ESXi is developed by VMware for deploying and serving virtual computers. OpenSLP (Service Location Protocol) is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration.

OpenSLP, as used in ESXi, has a heap-overflow vulnerability [CVE-2021-21974]. The buffer that can be overwritten is allocated in the heap portion of memory. A malicious actor in the same network segment as ESXi and with access to port 427 can trigger the heap-overflow issue in the OpenSLP service resulting in remote code execution.

Affected Versions

• 7.0 before ESXi70U1c-17325551
• 6.7 before ESXi670-202102401-SG
• 6.5 before ESXi650-202102101-SG

Recommendations

• CISA compiled the ESXiArgs-Recover^{[1] [2]} tool that can recover virtual machines affected by ESXiArgs ransomware attacks.
• Refer to the VMware advisory^[3], which outlines how to enable/disable the SLP Service on VMware ESXi^[4].