Threat Update
There are two critical remote code execution vulnerabilities (CVE-2019-5544 and CVE-2020-3992) within VMWare ESXi which allow attackers to effectively gain control of a virtual machine (VM), deploy ransomware, and encrypt ESXi virtual disk drives. These vulnerabilities are reported to have been exploited in the wild. SKOUT recommends updating the software to the fixed version.
Technical Detail & Additional Information
WHAT IS THE THREAT?
There are two critical vulnerabilities within the VMWare ESXi software which allow threat actors to exploit the Service Level Protocol (SLP) to gain control of an unpatched ESXi device by sending malicious SLP requests to the device without needing to compromise the governing VMWare vCenter server. These vulnerabilities, CVE-2019-5544 and CVE-2020-3992, are both rated 9.8/10 on the CVSS scale, making them critical. Additionally, there are reports that these vulnerabilities are being exploited in the wild by the RansomExx ransomware group aka “Defray777”. As of this advisory, only the RansomExx gang has exploited the vulnerabilities in attacks; however, the Babuk Locker ransomware also advertises a feature indicating it can also exploit these vulnerabilities.
WHY IS IT NOTEWORTHY?
These vulnerabilities allow for attackers to bypass all Window OS security mechanisms and encrypt the VM’s directly. Additionally, the VMWare ESXi hypervisor software is typically used to centralize data from multiple systems. Thus, these vulnerabilities put more data at a higher risk of ransom because of the centralization use-case of VMWare ESXi.
WHAT IS THE EXPOSURE OR RISK?
CVE-2019-5544 will affect VMWare ESXi devices running version 6.0, 6.5, or 6.7 and are patched with version “ESXi670-201912001” as well as Horizon DaaS versions 8.X which is patched in version 9.0.0.0. CVE-2020-3992 will affect VMWare ESXi versions 7.0, 6.7, 6.5 as well as VMWare Cloud Foundation (ESXi) versions 4.X and 3.X. Please see the chart below for patching and update details.
WHAT ARE THE RECOMMENDATIONS?
VMWare has released patches for the affected software versions. SKOUT recommends updating to the fixed version of the software. In the event updating is not an option, workarounds are provided in the VMWare references below.
Updates patching CVE-2019-5544:
| Product | Fixed Version | Workarounds |
| ESXi v6.7 | ESXi670-201912001 | KB76372 |
| ESXi v6.5 | ESXi670-201912001 | KB76372 |
| ESXi v6.0 | ESXi670-201912001 | KB76372 |
| Horizon DaaS v8.X | 9.0.0.0 | KB76411 |
Updates patching CVE-2020-3992:
| Product | Fixed Version | Workarounds |
| ESXi v7.0 | ESXi70U1a-17119627 | KB76372 |
| ESXi v6.7 | ESXi670-202011301-SG | KB76372 |
| ESXi v6.5 | ESXi650-202011401-SG | KB76372 |
| VMWare Cloud Foundation (ESXi) v4.X | 4.1.0.1 | KB76372 |
| VMWare Cloud Foundation (ESXi) v4.X | 3.10.1.2 | KB76372 |
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual-hard-disks/
- https://www.vmware.com/security/advisories/VMSA-2020-0023.html?irclickid=wkX1UR3FIxyLUYB05-R4sULoUkEWTBT3gwLvyQ0&utm_source=affiliate&utm_medium=TEXT_LINK_&utm_campaign=VMware%20Store&utm_term=Network_Viglink%20Primary&irgwc=1
- https://www.vmware.com/security/advisories/VMSA-2019-0022.html?irclickid=wkX1UR3FIxyLUYB05-R4sULoUkEWTBzOgwLvyQ0&utm_source=affiliate&utm_medium=TEXT_LINK_&utm_campaign=VMware%20Store&utm_term=Network_Viglink%20Primary&irgwc=1Source%203
If you have any questions, please contact our Security Operations Center.
