High
CVE-2020-3992 — ESXi OpenSLP remote code execution vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-3992 — ESXi OpenSLP remote code execution vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
Add Assessment
Ratings
-
Attacker ValueHigh
Technical Analysis
This is one of a set of vulnerabilities from the Zero Day Initiative affecting VMWare products. This is the most significant and most valuable to attackers in my opinion as this affects ESXi servers which are difficult and sometimes impossible to patch, depending on the age and type of hardware. VMWare ESXi updates can be done through a VMWare vCenter server, but as those are not present in all environments, a complex, manual update may be necessary, assuming the update is compatible with the hardware. The lack of legacy support and possible manual nature of VMWare ESXi’s update process will likely increase the time-availability of this vulnerability for attackers, even in enterprise environments.
The exploit target is the OpenSLP service on port 427, open and running in a default configuration. Here is a UDP nmap scan of an affected server:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-20 13:05 CDT Nmap scan report for server.redacted (xxx.xxx.xxx.xxx) Host is up (0.00055s latency). Not shown: 998 open|filtered ports PORT STATE SERVICE 161/udp closed snmp 427/udp open svrloc Nmap done: 2 IP addresses (1 host up) scanned in 10.32 seconds
The service is vulnerable to a specially crafted packet that can cause a use-after-free allowing arbitrary code execution. It is important to note that in the VMWare advisory here (https://www.vmware.com/security/advisories/VMSA-2020-0023.html), they include impacted products other than ESXi, but those are for other vulnerabilities that are less severe. A good breakdown of the vulnerabilities is here: https://www.cybersecurity-help.cz/vdb/SB2020102044
I have not yet seen a PoC for this vulnerability, so it is difficult to comment on the exact difficulty for the exploit, but given the nature of ESXi servers as often critical infrastructure with access to login servers like Domain Controllers, their high uptime requirements, specialty operating system, and difficulty patching, even if the exploit were highly complex, it would still be worth it for a given attacker.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- vmware
Products
- cloud foundation,
- esxi 6.5,
- esxi 6.7,
- esxi 7.0.0
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- News Article or Blog (https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
On October 20, 2020, VMware published details on CVE-2020-3992, a critical use-after-free (UAF) vulnerability in ESXi, VMware’s enterprise-class hypervisor. The vulnerability allows an attacker on the management network with access to port 427 on an ESXi machine to achieve remote code execution by triggering a use-after-free in the OpenSLP service. CVE-2020-3992 carries a CVSSv3 base score of 9.8.
On November 4, VMware updated their advisory to note that the October 2020 ESXi patches were incomplete and did not fully address the vulnerability. Two days later, Microsoft researcher Kevin Beaumont posted a warning on Twitter that a ransomware group was using CVE-2020-3992 and another ESXi vulnerability (CVE-2019-5544) to “bypass all Windows OS security, by shutting down VMs and encrypting the VMDKs directly on [the] hypervisor.”
CVE-2020-3992 is an active threat. As of November 10, 2020, there are no public exploits or proofs-of-concept (PoC).
Affected products
- ESXi 7.0
- ESXi 6.7
- ESXi 6.5
- VMware Cloud Foundation (ESXi) 4.x
- VMware Cloud Foundation (ESXi) 3.x
Note: As of November 10, 2020, updated patches for VMware Cloud Foundation ESXi have not yet been released.
Rapid7 analysis
Use-after-free vulnerabilities are notoriously difficult to exploit reliably, and in many cases we would emphasize the lower likelihood of speedy proof-of-concept (PoC) development or widespread attacks. However, as Brendan Watters noted in his October 20 assessment of CVE-2020-3992, ESXi servers are critical infrastructure and high-value attack targets within many organizations: subject to high availability requirements, difficult to patch, and a pathway to domain controllers and other login servers. In other words, high exploit development complexity is offset by the gains of successful exploitation.
Beaumont’s Twitter post indicates that so far, a single ransomware group is attacking vulnerable ESXi servers, which may mean that the group bought an exploit on the black market. Ransomware groups profit most by attacking at scale, but we also expect that other attackers—e.g., nation state-sponsored threat actors—will add CVE-2020-3992 to their toolkits for more targeted operations. If you haven’t yet read the tweet thread on the ESXi vulnerabilities, it’s highly recommended.
Rapid7 also have a blog on this vulnerability here.
Guidance
VMware ESXi customers should update to the latest patches or mitigate the vulnerability (November 4, 2020) as quickly as possible. As a workaround, VMware customers can disable the SLP service and prevent CIM clients that use SLP from finding CIM servers over port 427. Full instructions for both enabling and removing the workaround are in VMware’s KB article here. ESXi management ports should not be exposed beyond the management network.
References
- https://twitter.com/GossiTheDog/status/1324896051128635392
- https://attackerkb.com/assessments/efb2e8ff-8b65-4b33-ac6f-ff08c0f09fb6
- https://www.vmware.com/security/advisories/VMSA-2020-0023.html
- https://blog.rapid7.com/2020/11/11/vmware-esxi-openslp-remote-code-execution-vulnerability-cve-2020-3992-and-cve-2019-5544-what-you-need-to-know/
- https://kb.vmware.com/s/article/76372
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: