VMware ESXi remote code execution - steps to defend your systems
Apart from personal endpoints, users don’t interact much with systems running on hardware. Rather than that remote servers today are virtual machines.
Many virtual machines get consolidated onto beefy hardware. VMware ESXi often runs such beefy hardware and splits it for multiple virtual machines. Its main power lasts with seamless load distribution and management of larger fleets of servers. I have seen ESXi in many data centers around the world.
ESXi remote code execution - 2021
Recently, Trend Micro’s Zero Day Initiative announced a severe ESXi system issue concerning arbitrary remote code execution.
Last fall, I reported two critical-rated, pre-authentication remote code execution vulnerabilities in the VMware ESXi platform. Both of them reside within the same component, the Service Location Protocol (SLP) service […]
VMware released a third patch in February completely addressing the heap overflow portion of these bugs. The heap overflow was assigned CVE-2021-21974.
– About six months is a high time to patch, given the severity. I don’t think that it’s even relevant whether VMware has its own version of the affected component (OpenSLP). They seem to have issues understanding security issues in general there.
Updating VMware ESXi
Updates to VMware ESXi are not easy, because you need to restart the hosts. System administrators probably felt the pain already…
In fact, even downloading the update is complex and takes an extended amount of time.
- The official automated tools for this fail, because of bugs (indication of full disks, that are not full).
- The VMware portals and knowledge bases are a labyrinth with a bad search. Multiple complex login procedures are required just to download a patch
Given this level of quality, I think it’s probably better to look towards oVirt. There will be bugs in oVirt as well, but at least you have a simple update procedure without untested enterprise tools from VMware.
How to patch the ESXi host (test system)
Here’s a command-line log about how to update an ESXi host manually:
[[email protected]:/vmfs/volumes/593.../utils] esxcli software vib update -d /vmfs/volumes/datastore1/utils/ESXi670-202103001.zip Installation Result Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective. Reboot Required: true
Should result into something like this on a test system:
You can perform the usual system acceptance test.
You can restrict network access to SLP
Given that the affected component (SLP) isn’t audited for security and maintained with a low amount of resources (six months time to patch, few lines of code), it may be good to consider network-level security controls. ESXi has got a host firewall.
[[email protected]:~] esxcli network firewall ruleset rule list Ruleset Direction Protocol Port Type Port Begin Port End ---------------------- --------- -------- --------- ---------- -------- ... CIMSLP Inbound UDP Dst 427 427 CIMSLP Outbound UDP Dst 427 427 CIMSLP Inbound TCP Dst 427 427 CIMSLP Outbound TCP Dst 427 427 ...
On a related note: if you enumerate the number of services, you get to threat-model for a huge attack surface of course. There is more… More to come. More pain. For a costly product.
Back to topic: if you use the linked
esxcli commands you may also be able to restrict the use of SLP to more specific network ranges. – Really depending on the level of integration needed of course.
From a Linux system you may check the network filters with
[email protected]:~$ nmap -PN -sV -p 427 144.76.X.Y ... Host is up. PORT STATE SERVICE VERSION 427/tcp filtered svrloc ...
Easy. Filtered is good here.
(Source: VMware news. – While leaving remote code execution in their flagship product unpatched for months?)
Every software has got bugs and vulnerabilities. It’s sometimes about focus and reacting to such issues. And not “just” about prevention.
We don’t have the software development practices to avoid issues like this. But we do have the means to react faster and more efficiently. That should include VMware in 2021, because they provide key infrastructure components for many organizations. More development and security testing, as well as a better customer portal could certainly help as well as a more seamless patch and update management.