Over 2500 VMWare servers have been targeted by ransomware operators over the past few weeks. The ransomware groups have been encrypting the VMWare servers that are exposed to the Internet and affected by CVE-2021-201974.
We look at the vulnerability and the suggested course of action by VMWare to resolve the threats on the ESXi servers.
- What is the vulnerability on the VMWare ESXi servers?
- How to protect against OpenSLP vulnerability on ESXi servers?
- How to recover encrypted servers using CISA script?
What is the vulnerability on the VMWare ESXi servers?
VMWare ESXi servers are affected by a vulnerability CVE-2021-21974 that VMWare disclosed in 2021. VMWare had also released a patch to resolve this vulnerability.
The current round of attacks is exploiting the vulnerability on VMWare servers that are unpatched. Threat actors and ransomware operators are encrypting the ESXi servers.
VMWare believes that these attacks are exploiting an old vulnerability that was disclosed sometime in 2021. VMWare suggests deploying the security patch on the VMWare ESXi servers to protect against the threat. VMWare had shared an advisory against the vulnerability and you can read it here.
VMWare has denied that the current round of attacks exploits a newer zero-day vulnerability. This is positive news because VMWare had already suggested a workaround and released a security update to resolve the threats on the ESXi servers.
The current round of attacks has primarily targeted ESXi servers in the following networks and countries:
- 1099 servers on the OVH cloud network in France
- 298 servers in the Hetzner AS in Germany
- 123 servers in Online SAS networks (mainly) spread across France
- 37 servers in LeaseWeb Netherlands
- 15 servers in the IOMART network in the United Kingdom
So, you can see that the impact has been largely limited to Europe and France is the worst affected country in terms of the ESXi vulnerability on the VMWare servers.
Here are brief notes about the OpenSLP issue on VMWare ESXi servers:
VMWare ESXi servers are affected by a heap overflow vulnerability in the OpenSLP. Port 427 is used to exploit this vulnerability.
The OpenSLP project is an effort to develop an open-source implementation of the IETF Service Location Protocol suitable for commercial and non-commercial applications. You can read more about OpenSLP on the GitHub page for OpenSLP.
A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in the OpenSLP service resulting in remote code execution.
This vulnerability is tracked under CVE-2021-21974 and has a CVSS-rated severity of 8.8. It has an ‘IMPORTANT’ severity rating.
Censys has set up a tracker to track the servers that have been affected and targeted by ransomware operators. You can find information about servers that have been attacked on the Censys page here. As of writing this, over 2500 servers are impacted.
How to protect against the OpenSLP vulnerability on VMWare ESXi servers?
There are a few possible options that are available to system administrators to protect against potential attacks on the VMWare ESXi servers.
- CVE-2022-21974 targets OpenSLP vulnerability. OpenSLP uses port 427. So, one option is to block port 427 on the server.
- VMWare had released security patches for the ESXi servers to protect against the OpenSLP vulnerability. The security updates have been released for the ESXi servers with versions 7.0, 6.7, and 6.5.
- For ESXi server version 7.0, you need to deploy the security update ESXi70U1c-17325551.
- For ESXi server version 6.7, you need to deploy the security update ESXi670-202102401-SG.
- For ESXi server version 6.5, you need to deploy the security update ESXi650-202102101-SG.
- For system administrators who are unable to apply the security updates, VMWare released a workaround that involves disabling the OpenSLP service on the VMWare ESXi servers. The workaround has been published by VMWare for ESXi servers on this page.
How to recover encrypted servers using the CISA script?
CISA released a script on 7th February 2023. This script will help you recover and rebuild servers that were encrypted as part of the latest ransomware attempts against the ESXi servers.
It is believed that the current round of attacks was partly successful. The flat files could not be encrypted under the attacks and researchers were able to recover and rebuild the servers using the flat file information.
Enes Sonmez & Ahmet Aykac of the YoreGroup Tech Team were able to create a script to rebuild the affected servers from the flat files. This script forms the basis of action suggested by the CISA.
CISA has released the script on the GitHub page and it is aptly named as ESXiArgs Recover script.
CISA also released a statement last night –
CISA has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.
CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment.
Summary
For now, it is clear that ESXi servers that have not been patched during the last 18-24 months are the subject of these ransomware attacks in February 2023. We suggest patching the ESXi servers immediately. Or, you can disable the OpenSLP service and close port 427 on the servers.
Once the server is encrypted, it is not possible to decrypt it without the availability of the decryptor keys.
We also suggest reading OVH Cloud’s advisory on the current state of ESXi servers’ exploitation.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.