Last updated at Wed, 11 Nov 2020 00:41:10 GMT

What’s up?

On November 6, 2020 Microsoft’s Kevin Beaumont alerted the community to evidence of active exploitation attempts of CVE-2020-3992 and/or CVE-2019-5544, which are remote code execution (RCE) vulnerabilities in VMware ESXi’s service location protocol (SLP) service. VMware had issued a patch for this weakness on October 20, 2020 but said patch failed to effectively handle this vulnerability and an update to the patch was released on November 4, 2020.

Any organization that has not applied this second patch and has VMware ESXi management ports exposed beyond a management network is at risk of having, in Kevin’s words “[r]ansomware groups …bypass[ing] all Windows OS security, …shutting down VMs and encrypting the VMDK’s directly on hypervisor.” effectively making this a potential virtual data center-wide ransomware event.

Before reading on, Rapid7 advises all VMware ESXi users to ensure they have the second patch applied to their systems as quickly as possible. If at all possible, please don’t wait for your typical patch cycle to apply these ESXi security updates. If patching is not possible, the following section references potential workarounds until a patch can be applied. Further analysis is available in AttackerKB.

ESXi SLP vulnerability information

VMware noted that the following versions are affected:

  • ESXi 7.0
  • ESXi 6.7
  • ESXi 6.5
  • VMware Cloud Foundation (ESXi) 4.x
  • VMware Cloud Foundation (ESXi) 3.x

As noted in their knowledge base article, a workaround is available and requires:

Stopping the SLP service via:

/etc/init.d/slpd stop

after executing:

esxcli system slp stats get

to determine if the service is not in use (it must be quiescent to stop).
Then, run the following two commands to disable the SLP service and ensure the change survives a reboot:

esxcli network firewall ruleset set -r CIMSLP -e 0
chkconfig slpd off

The setting can be validated by running:

chkconfig --list | grep slpd

and receiving a slpd off message.

The KB article has information on reactivating the service.

You must either apply the patch or perform the mitigation if your ESXi management network is not on an isolated network segment.

Vulnerable to CVE-2020-3992 and CVE-2019-5544? Scan Your Environment Today to Find Out.

Get Started