Overview
A use-after-free vulnerability in OpenSLP component of VMware ESXi allows remote code execution. The vulnerability is caused by improper memory management and can be exploited by attackers with network access to port 427 (SLP service). This is a critical vulnerability affecting multiple ESXi versions. The vulnerability was disclosed on October 20, 2020. CISA has identified CVE-2020-3992 as being exploited and is known to be used in ransomware campaigns.
Technical details
The OpenSLP service in VMware ESXi contains a use-after-free vulnerability caused by improper memory management. An attacker with network access to the SLP service (port 427) can send specially crafted requests that trigger the use-after-free condition, allowing execution of arbitrary code with root privileges in the hypervisor context.
The vulnerability is classified as CWE-416 (Use After Free) andCWE-401 (Missing Release of Memory after Effective Lifetime) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code with root privileges on the ESXi hypervisor. This could lead to complete compromise of the virtualization platform, including access to all virtual machines, sensitive data, and the ability to modify or delete VMs. The attacker can establish persistent access, exfiltrate data, launch attacks against hosted virtual machines, and disrupt availability of the entire virtualization infrastructure.
Mitigation and workarounds
1. Access the VMware ESXi host via SSH or vSphere Client 2. Download the appropriate security patch from VMware's security updates page 3. Put ESXi host in maintenance mode 4. Apply the patch using 'esxcli software vib install' command or vSphere Update Manager 5. Reboot the ESXi host to complete the installation 6. Exit maintenance mode Example: esxcli software vib install -d /path/to/patch.zip The following versions include the necessary fixes: ESXi 7.0.1-0.0.16850804 and later, ESXi 6.7 Update 3 (6.7U3) and later, ESXi 6.5 Update 3 (6.5U3) and later.
As temporary workarounds: restrict network access to port 427 (slp service) at the network perimeter using firewall rules. limit access to only trusted management networks.; disable the slp service if not required in the environment. however, this may impact service discovery and advanced features., and implement network segmentation to isolate esxi management traffic from untrusted networks..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
