Cybersecurity Threat Advisory 0008-21: Ransomware Groups Exploiting Critical VMWare ESXi Vulnerabilities

Threat Update

There are two critical remote code execution vulnerabilities (CVE-2019-5544 and CVE-2020-3992) within VMWare ESXi which allow attackers to effectively gain control of a virtual machine (VM), deploy ransomware, and encrypt ESXi virtual disk drives. These vulnerabilities are reported to have been exploited in the wild. SKOUT recommends updating the software to the fixed version.

Technical Detail & Additional Information

WHAT IS THE THREAT?

There are two critical vulnerabilities within the VMWare ESXi software which allow threat actors to exploit the Service Level Protocol (SLP) to gain control of an unpatched ESXi device by sending malicious SLP requests to the device without needing to compromise the governing VMWare vCenter server. These vulnerabilities, CVE-2019-5544 and CVE-2020-3992, are both rated 9.8/10 on the CVSS scale, making them critical. Additionally, there are reports that these vulnerabilities are being exploited in the wild by the RansomExx ransomware group aka “Defray777”. As of this advisory, only the RansomExx gang has exploited the vulnerabilities in attacks; however, the Babuk Locker ransomware also advertises a feature indicating it can also exploit these vulnerabilities.

WHY IS IT NOTEWORTHY?

These vulnerabilities allow for attackers to bypass all Window OS security mechanisms and encrypt the VM’s directly. Additionally, the VMWare ESXi hypervisor software is typically used to centralize data from multiple systems. Thus, these vulnerabilities put more data at a higher risk of ransom because of the centralization use-case of VMWare ESXi.

WHAT IS THE EXPOSURE OR RISK?

CVE-2019-5544 will affect VMWare ESXi devices running version 6.0, 6.5, or 6.7 and are patched with version “ESXi670-201912001” as well as Horizon DaaS versions 8.X which is patched in version 9.0.0.0. CVE-2020-3992 will affect VMWare ESXi versions 7.0, 6.7, 6.5 as well as VMWare Cloud Foundation (ESXi) versions 4.X and 3.X. Please see the chart below for patching and update details.

WHAT ARE THE RECOMMENDATIONS?

VMWare has released patches for the affected software versions. SKOUT recommends updating to the fixed version of the software. In the event updating is not an option, workarounds are provided in the VMWare references below.

Updates patching CVE-2019-5544:

ProductFixed VersionWorkarounds
ESXi v6.7ESXi670-201912001KB76372
ESXi v6.5ESXi670-201912001KB76372
ESXi v6.0ESXi670-201912001KB76372
Horizon DaaS v8.X9.0.0.0KB76411

Updates patching CVE-2020-3992:

ProductFixed VersionWorkarounds
ESXi v7.0ESXi70U1a-17119627KB76372
ESXi v6.7ESXi670-202011301-SGKB76372
ESXi v6.5ESXi650-202011401-SGKB76372
VMWare Cloud Foundation (ESXi) v4.X4.1.0.1KB76372
VMWare Cloud Foundation (ESXi) v4.X3.10.1.2KB76372

References:

For more in-depth information about the recommendations, please visit the following links:

Leave a Reply

%d bloggers like this: