It may be old, but CVE-2021-21974 is causing plenty of new problems for organizations. With many machines still not updated, we’re seeing the effects of a ransomware attack that isn’t going away.
Here’s everything you need to know:
What is CVE-2021-21974?
CVE-2021-21974 is a nearly two-year-old heap overflow vulnerability in VMware ESXi servers. It has been used in a massive ransomware campaign, with over 500 machines hit this year. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue.
Does it affect me?
CVE-2021-21974 affects VMware ESXi servers. This vulnerability enables remote code execution by an attacker on port 427 used by the Service Location Protocol (SLP) used by different versions of Vmware ESXI. It is a heap overflow vulnerability found in VMware ESXi, caused by an overflow in the OpenSLP service within ESXi. This vulnerability does not affect any Red Hat product and can be patched with the patch issued by VMware nearly two years ago.
Has it been actively exploited in the wild?
CVE-2021-21974 has been exploited in the wild in a ransomware attack dubbed ESXiArgs. The attack targets unpatched and unprotected VMware ESXi servers around the world. The vulnerability was patched by VMware nearly two years ago, but proof-of-concept (PoC) code and technical details were made public a couple of months after the patches were announced. This is the first reported instance of CVE-2021-21974 being exploited in the wild.
Fixing CVE-2021-21974
To fix CVE-2021-21974, VMware recommends applying the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ in their VMSA-2021-0002 advisory. Additionally, workarounds for CVE-2021-21974 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’.
To protect against attacks associated with CVE-2021-21974, admins should ensure unpatched ESXi servers are firewalled, with no ports exposed. Additionally, VMware urges users to log in to the ESXi hosts using an SSH session and deactivate the OpenSLP service on the server or restrict access to only trusted IP addresses. Finally, admins should make sure they have a backup solution in place for virtual machines as this is the only way to completely recover from attacks associated with CVE-2021-21974.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Cyber risk in 2022- a 360° view report
- MITRE ATTACK framework – mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
