Date: 06-02-2023
Two years back, on the 25th of February 2021, we sent a Threat Response[1] regarding multiple critical vulnerabilities in VMware products. One of these vulnerabilities (CVE-2021-21974) affects VMware ESXi and allows threat actors to execute arbitrary code on vulnerable ESXi systems when they are able to reach the system over the network on port 427.
Currently, threat actors actively target VMware ESXi[2] by deploying ransomware on systems that have not yet been patched for this vulnerability. Worldwide, more than 120 systems show signs of being encrypted by ransomware[3] and the Northwave CERT is already supporting some organisations that are victim of these attacks.
Impact
Vulnerability CVE-2021-21974 applies to ESXi and Cloud Foundation and makes it possible for a threat actor with access to port 427 (OpenSLP) to exploit a memory vulnerability, after which remote code can be executed[4]. The impact of this vulnerabilities is estimated as high. Currently, organisations are hit with ransomware, resulting in the encryption of all the virtual machines on the compromised VMware ESXi systems. However, threat actors can also choose other payloads resulting in different types of attack.
Risk
As the vulnerability is under active attack, the risk of exploitation is high.
What should you do?
VMware provided patches to resolve the vulnerability. Northwave advises to apply these patches immediately on ESXi and Cloud Foundation instances where applicable. Also, Northwave recommends to prevent access to the management interfaces of VMware ESXi systems from the internet in general.
What will Northwave do?
Customers having a Northwave NIDS deployed in their network as part of their Northwave IDRS subscription are monitored for exploitation attempts for this vulnerability. Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. Northwave will continue to monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Sources
[1]: https://northwave-security.com/threat-response-vmware–remote–code–execution–vulnerabilities/
[2]: https://www.ncsc.nl/actueel/advisory?id=NCSC%2D2021%2D0173
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.