VMware ESXi remote code execution - steps to defend your systems (CVE-2020-3992)

Tags: #<Tag:0x00007f8a1e96b630> #<Tag:0x00007f8a1e96a438> #<Tag:0x00007f8a1e969ec0> #<Tag:0x00007f8a1e9699e8>

VMware ESXi remote code execution - steps to defend your systems

Apart from personal endpoints, users don’t interact much with systems running on hardware. Rather than that remote servers today are virtual machines.

Many virtual machines get consolidated onto beefy hardware. VMware ESXi often runs such beefy hardware and splits it for multiple virtual machines. Its main power lasts with seamless load distribution and management of larger fleets of servers. I have seen ESXi in many data centers around the world.

ESXi remote code execution - 2021

Recently, Trend Micro’s Zero Day Initiative announced a severe ESXi system issue concerning arbitrary remote code execution.

Quote:

Last fall, I reported two critical-rated, pre-authentication remote code execution vulnerabilities in the VMware ESXi platform. Both of them reside within the same component, the Service Location Protocol (SLP) service […]
VMware released a third patch in February completely addressing the heap overflow portion of these bugs. The heap overflow was assigned CVE-2021-21974.

– About six months is a high time to patch, given the severity. I don’t think that it’s even relevant whether VMware has its own version of the affected component (OpenSLP). They seem to have issues understanding security issues in general there.

Updating VMware ESXi

Updates to VMware ESXi are not easy, because you need to restart the hosts. System administrators probably felt the pain already…

In fact, even downloading the update is complex and takes an extended amount of time.

  • The official automated tools for this fail, because of bugs (indication of full disks, that are not full).
  • The VMware portals and knowledge bases are a labyrinth with a bad search. Multiple complex login procedures are required just to download a patch

Given this level of quality, I think it’s probably better to look towards oVirt[1]. There will be bugs in oVirt as well, but at least you have a simple update procedure without untested enterprise tools from VMware.

How to patch the ESXi host (test system)

Here’s a command-line log about how to update an ESXi host manually:

    [[email protected]:/vmfs/volumes/593.../utils] esxcli software vib update -d /vmfs/volumes/datastore1/utils/ESXi670-202103001.zip
    Installation Result
       Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
       Reboot Required: true

Should result into something like this on a test system:

You can perform the usual system acceptance test.

You can restrict network access to SLP

Given that the affected component (SLP) isn’t audited for security and maintained with a low amount of resources (six months time to patch, few lines of code), it may be good to consider network-level security controls. ESXi has got a host firewall.

[[email protected]:~] esxcli network firewall ruleset rule list
Ruleset                 Direction  Protocol  Port Type  Port Begin  Port End
----------------------  ---------  --------  ---------  ----------  --------
...
CIMSLP                  Inbound    UDP       Dst               427       427
CIMSLP                  Outbound   UDP       Dst               427       427
CIMSLP                  Inbound    TCP       Dst               427       427
CIMSLP                  Outbound   TCP       Dst               427       427
...

On a related note: if you enumerate the number of services, you get to threat-model for a huge attack surface of course. There is more… More to come. More pain. For a costly product.

Back to topic: if you use the linked esxcli commands you may also be able to restrict the use of SLP to more specific network ranges. – Really depending on the level of integration needed of course.

From a Linux system you may check the network filters with nmap:

[email protected]:~$ nmap -PN -sV -p 427 144.76.X.Y
...

Host is up.

PORT    STATE    SERVICE VERSION
427/tcp filtered svrloc
...

Easy. Filtered is good here.

Summary

As a long-time advocate for cyber hygiene, VMware applauds the @WhiteHouse’s attention and effort to address growing #cybersecurity threats. The Executive Order is an important step forward.

(Source: VMware news. – While leaving remote code execution in their flagship product unpatched for months?)

Every software has got bugs and vulnerabilities. It’s sometimes about focus and reacting to such issues. And not “just” about prevention.

We don’t have the software development practices to avoid issues like this. But we do have the means to react faster and more efficiently. That should include VMware in 2021, because they provide key infrastructure components for many organizations. More development and security testing, as well as a better customer portal could certainly help as well as a more seamless patch and update management.


  1. https://www.ovirt.org/ ↩︎

This topic was automatically closed after 2 days. New replies are no longer allowed.