On October 20, 2020, VMware published details on CVE-2020-3992, a critical use-after-free (UAF) vulnerability in ESXi, VMware’s enterprise-class hypervisor. The vulnerability allows an attacker on the management network with access to port 427 on an ESXi machine to achieve remote code execution by triggering a use-after-free in the OpenSLP service. CVE-2020-3992 carries a CVSSv3 base score of 9.8.
On November 4, VMware updated their advisory to note that the October 2020 ESXi patches were incomplete and did not fully address the vulnerability. Two days later, Microsoft researcher Kevin Beaumont posted a warning on Twitter that a ransomware group was using CVE-2020-3992 and another ESXi vulnerability (CVE-2019-5544) to “bypass all Windows OS security, by shutting down VMs and encrypting the VMDKs directly on [the] hypervisor.”
CVE-2020-3992 is an active threat. As of November 10, 2020, there are no public exploits or proofs-of-concept (PoC).
Affected products
- ESXi 7.0
- ESXi 6.7
- ESXi 6.5
- VMware Cloud Foundation (ESXi) 4.x
- VMware Cloud Foundation (ESXi) 3.x
Note: As of November 10, 2020, updated patches for VMware Cloud Foundation ESXi have not yet been released.
Rapid7 analysis
Use-after-free vulnerabilities are notoriously difficult to exploit reliably, and in many cases we would emphasize the lower likelihood of speedy proof-of-concept (PoC) development or widespread attacks. However, as Brendan Watters noted in his October 20 assessment of CVE-2020-3992, ESXi servers are critical infrastructure and high-value attack targets within many organizations: subject to high availability requirements, difficult to patch, and a pathway to domain controllers and other login servers. In other words, high exploit development complexity is offset by the gains of successful exploitation.
Beaumont’s Twitter post indicates that so far, a single ransomware group is attacking vulnerable ESXi servers, which may mean that the group bought an exploit on the black market. Ransomware groups profit most by attacking at scale, but we also expect that other attackers—e.g., nation state-sponsored threat actors—will add CVE-2020-3992 to their toolkits for more targeted operations. If you haven’t yet read the tweet thread on the ESXi vulnerabilities, it’s highly recommended.
Rapid7 also have a blog on this vulnerability here.
Guidance
VMware ESXi customers should update to the latest patches or mitigate the vulnerability (November 4, 2020) as quickly as possible. As a workaround, VMware customers can disable the SLP service and prevent CIM clients that use SLP from finding CIM servers over port 427. Full instructions for both enabling and removing the workaround are in VMware’s KB article here. ESXi management ports should not be exposed beyond the management network.
References
- https://twitter.com/GossiTheDog/status/1324896051128635392
- https://attackerkb.com/assessments/efb2e8ff-8b65-4b33-ac6f-ff08c0f09fb6
- https://www.vmware.com/security/advisories/VMSA-2020-0023.html
- https://blog.rapid7.com/2020/11/11/vmware-esxi-openslp-remote-code-execution-vulnerability-cve-2020-3992-and-cve-2019-5544-what-you-need-to-know/
- https://kb.vmware.com/s/article/76372
