FortiGuard Labs is aware of reports that ESXi servers around the globe that are vulnerable to the VMware ESXi OpenSLP HeapOverflow vulnerability (CVE-2021-21974) are being exploited through the OpenSLP (port 427) to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption.Why is this Significant?This is significant because a new ransomware “ESXiArgs” is being deployed to ESXi servers that are prone to the VMware ESXi OpenSLP HeapOverflow vulnerability (CVE-2021-21974). The ransomware encrypts files with pre-specified file extensions and demands a ransom from victims for file decryption.A patch for CVE-2021-21974 was released almost two years ago, which lowers the impact and severity of this incident.What is ESXiArgs Ransomware?ESXiArgs is a new ransomware that encrypts files on ESXi servers and According to OSINT, the ransomware targets files with “.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”, and “.vmem” file extensions. The ransomware reportedly creates a args file containing metadata for each file it encrypted. Data exfiltration has not been reported.ESXiArgs ransomware is said to be related to another ransomware “Nevada”, however we have not been able to verify the claim.What is CVE-2021-21974 (VMware ESXi OpenSLP HeapOverflow vulnerability)?CVE-2021-21974 is a heap overflow vulnerability in OpenSLP and affects VMware ESXi version 7.0, 6.7, and 6.5. The vulnerability is due to an improper boundary check condition in the application. A remote, unauthenticated attacker can exploit this to execute arbitrary code with the privileges of the OpenSLP service, via a crafted request the target server.The vulnerability has a CVSS score of 8.8 and is rated important.Has the Vendor Released a Patch for CVE-2021-21974?Yes, VMWare released a patch for CVE-2021-21974 on February 23rd, 2021.What is the Status of Protection?FortuGuard Labs provides protection for this latest attack with the following AV signatures:ELF/Filecoder.85D3!tr.ransomLinux/Agent.SR!trPython/Agent.937D!trFortiGuard Labs has the following IPS signature in place for CVE-2021-21974 (VMware ESXi OpenSLP HeapOverflow vulnerability):• VMware.ESXi.OpenSLP.Heap.Buffer.Overflow
More Stories
WP Engine Reprieve
I’ve heard from WP Engine customers that they are frustrated that WP Engine hasn’t been able to make updates, plugin...
aws-2020-12.1.fc39
FEDORA-2024-d940f25a53 Packages in this update: aws-2020-12.1.fc39 Update description: CVE-2024-41708: Ada Web Server did not use a cryptographically secure pseudorandom number...
aws-2020-16.1.fc40
FEDORA-2024-63f98f8c60 Packages in this update: aws-2020-16.1.fc40 Update description: CVE-2024-41708: Ada Web Server did not use a cryptographically secure pseudorandom number...
Ivanti Virtual Traffic Manager (vTM ) Authentication Bypass Vulnerability (CVE-2024-7593)
What is the Vulnerability?Ivanti Virtual Traffic Manager (vTM), a software application used to manage and optimize the delivery of applications...
ZDI-24-1310: Lenovo Service Bridge Command Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Lenovo Service Bridge. User interaction is required...