Cybersecurity Threat Advisory 0064-20: Second Patch Released for VMWare Vulnerability (CVE-2020-3992)
A previously discovered remote code execution vulnerability for VMware ESXi has received a second patch from VMware, which should now correctly stop exploitation of the OpenSLP service issue. If an attacker were to attempt to exploit an unpatched machine, they could potentially compromise not only that host, but any VMware instances that are managed by it. VMware has released a new patch and recommends all users of ESXi update.
Technical detail and additional information
What is the threat?
A remote code execution vulnerability exists for VMware ESXi, a popular enterprise-class hypervisor for managing VMware virtual instances. Successful exploitation of this vulnerability requires the attacker to both be on the management network and have access to port 427 on any ESXi machine and stems from a “use after free” flaw with the OpenSLP service which allows remote code execution. “User after free” (also known as a dangling pointer) is a common weakness in an application in which memory is referenced after it has been freed. This can cause a number of unforeseen complications including the execution of code, such as in this case.
Why is this noteworthy?
The main point of note for this particular vulnerability is that this is technically the second patch that has been released by VMware to address this issue. The previous patch from October was found to remediate the issue incompletely, and now VMware has once again claimed that this should plug this hole in security. This is also noteworthy from the lens that many organizations use VMware ESXi to manage a large subset of virtual devices, and a compromise of ESXi can lead to cascading consequences.
What is the exposure or risk?
With ESXi vulnerable to a remote code execution, this exploit puts any VMware instances managed by an un-patched version of ESXi at risk if it is compromised. If the controlling ESXi host is compromised and arbitrary code is executed, it is possible that any instance managed by that ESXi host can now be compromised as well. The exact nature of this compromise can differ greatly depending on the intent of the actor exploiting the vulnerability, but in general files can be added, changed, or deleted, malware can be distributed to many or all instances, private information can be taken, and much more.
What are the recommendations?
VMware has released a new patch for this vulnerability, and it should be installed to ensure all VMware instances and the ESXi host itself remain secure. Be sure that you download the correct new patch for this vulnerability, and not the previously outdated one that failed to address it. A link to VMware’s advisory with more information can be found below:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.