/i/2001462189.png?fit=%2C&ssl=1)
VMware advises virtual machine administrators to disable OpenSLP on ESXi servers. Ransomware has recently been spread via this feature. This is done via an old vulnerability for which there is already a patch.
VMware warns in an advisory blog that administrators of VMware machines should disable OpenSLP on ESXi machines. Also, users should update their vSphere components to recent versions, the company says.
With the advice, the company responds to the ESXiArgs ransomware, which has been doing the rounds in recent weeks. Security companies and agencies, such as in the Netherlands the National Cyber Security Center, warn about that ransomware. Criminals try to infect ESXi machines with ransomware called ESXiArg. To do this, they exploit a vulnerability in OpenSLP, the Service Location Protocol library installed in the vSphere Client on ESXi machines. Therein lies a vulnerability, CVE-2021-21972which makes it possible remote code execution to be carried out. If users can access a machine that is accessible via https port 443, they can infect the machine with ransomware.
VMware emphasizes that the ESXiArg ransomware does not use a modern vulnerability such as a zero-day, but a vulnerability for which a patch already exists. The victims are usually administrators who have not yet installed that patch, although it was already released in February of 2021. “Most reports show that products that are affected by the end of general supportstatus,” writes Vmware. Administrators who are unable to upgrade for any reason can also follow a workaround not to be vulnerable. Since 2021, the vulnerable service is no longer on by default on ESXi servers.
