A criminal group that deployed the RansomExx ransomware is actively exploting the vulnerabilities in VMWare ESXi to encrypt the victim’s virtual hard drive. A senior security engineer commented below on these vulnerabilities.
<p>The targeting of enterprise infrastructure by ransomware is a good example of why it is important to carry out updates and patching for all elements within the enterprise. A significant level of effort is put into updating and patching your normal Desktop and Server operating systems, but the underlying systems for virtualisation that support these are often overlooked.</p>
<p>Due to its global prevalence, VMWare is a lucrative platform for attackers to target. Luckily the recommendations in this instance are pretty straight forward, users of VMWare ESXi should prioritise implementing patches for both CVE-2019-5544 and CVE-2020-3992, or disable SLP support to prevent attacks if the protocol isn\’t needed.</p>
<p>If an attacker is in the network and able to access the port 427, they are likely to have already exploited the vulnerability, as the RansomExx group has shown. Organisations should not assume that this is just a ‘possibility’. The vulnerabilities CVE-2019-5544 and CVE-2020-3992 are present in the OpenSLP (Service Location Protocol) component and can be misused by the attacker to conduct a remote code execution. </p> <p> </p> <p>These vulnerabilities are critical and should not be taken lightly. Organisations using software that has been identified as being vulnerable, should patch the vulnerabilities with available patches immediately.</p>
<p>The targeting of enterprise infrastructure by ransomware is a good example of why it is important to carry out updates and patching for all elements within the enterprise. A significant level of effort is put into updating and patching your normal Desktop and Server operating systems, but the underlying systems for virtualisation that support these are often overlooked.</p>
<p>Due to its global prevalence, VMWare is a lucrative platform for attackers to target. Luckily the recommendations in this instance are pretty straight forward, users of VMWare ESXi should prioritise implementing patches for both CVE-2019-5544 and CVE-2020-3992, or disable SLP support to prevent attacks if the protocol isn\’t needed.</p>
<p>If an attacker is in the network and able to access the port 427, they are likely to have already exploited the vulnerability, as the RansomExx group has shown. Organisations should not assume that this is just a ‘possibility’. The vulnerabilities CVE-2019-5544 and CVE-2020-3992 are present in the OpenSLP (Service Location Protocol) component and can be misused by the attacker to conduct a remote code execution. </p> <p> </p> <p>These vulnerabilities are critical and should not be taken lightly. Organisations using software that has been identified as being vulnerable, should patch the vulnerabilities with available patches immediately.</p>