See runZero in action

Contact us to book a demo with our team.

Finding VMware ESXi assets

(updated ), by Pearce Barry

Popular hypervisor ESXi has been in the news recently due to fresh targeting by a new strain of ransomware. Known as ESXiArgs, this ransomware leverages a 2-year old heap overflow issue in the OpenSLP service that can be leveraged to gain remote code execution on exploitable targets (CVE-2021-21974). Many vulnerable public-facing ESXi servers have already been affected by this malware (currently over 1,900 via Censys search results).

What is the impact? #

Targets of this new ransomware campaign are older ESXi servers running certain versions of 6.5, 6.7, or 7 releases and also have the OpenSLP service enabled (it has not been enabled by default in ESXi releases since 2021). Upon successful exploitation of CVE-2021-21974, the ESXiArgs ransomware will encrypt a number of file types on the target system, including VM-related files with extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram. Ransom notes are saved as HTML files on compromised systems for admins and users to subsequently discover. While some of these ransom notes claim to have stolen data from vulnerable targets, no data exfiltration has been observed at this time.

Are updates available? #

VMware made patches available when the OpenSLP heap-overflow vulnerability was initially reported in 2021. The following ESXi releases have been patched against this attack vector currently being exploited by the ESXiArgs campaign:

  • ESXi version 7+ (ESXi70U1c-17325551 and later)
  • ESXi version 6.7+ (ESXi670-202102401-SG and later)
  • ESXi version 6.5+ (ESXi650-202102101-SG and later)

VMware also offers patched releases for Cloud Foundation (ESXi), which includes an ESXi component:

  • Cloud Foundation (ESXi) version 4.2+
  • Patching instructions for Cloud Foundation (ESXi) version 3.x can be found here

Patching (and also ensuring that your ESXi servers are running a supported, not end-of-life/end-of-support version) is the best course of action. If patching is not a near-term option, VMware has a recommended mitigation via disabling the OpenSLP service.

How do I find potentially vulnerable VMware ESXi assets with runZero? #

From the Asset Inventory, use the following pre-built query to locate ESXi assets which may need remediation:

os.product:"ESX" and (os.version:="1.%" or os.version:="2.%" or os.version:="3.%" or os.version:="4.%" or os.version:="5.%" or os.version:="6.0%" or os.version:="6.5.0 build-4564106" or os.version:="6.5.0 build-4887370" or os.version:="6.5.0 build-5146843" or os.version:="6.5.0 build-5146846" or os.version:="6.5.0 build-5224529" or os.version:="6.5.0 build-5310538" or os.version:="6.5.0 build-5969300" or os.version:="6.5.0 build-5969303" or os.version:="6.5.0 build-6765664" or os.version:="6.5.0 build-7273056" or os.version:="6.5.0 build-7388607" or os.version:="6.5.0 build-7967591" or os.version:="6.5.0 build-8285314" or os.version:="6.5.0 build-8294253" or os.version:="6.5.0 build-8935087" or os.version:="6.5.0 build-9298722" or os.version:="6.5.0 build-10175896" or os.version:="6.5.0 build-10390116" or os.version:="6.5.0 build-10719125" or os.version:="6.5.0 build-10868328" or os.version:="6.5.0 build-10884925" or os.version:="6.5.0 build-11925212" or os.version:="6.5.0 build-13004031" or os.version:="6.5.0 build-13635690" or os.version:="6.5.0 build-13873656" or os.version:="6.5.0 build-13932383" or os.version:="6.5.0 build-14320405" or os.version:="6.5.0 build-14874964" or os.version:="6.5.0 build-14990892" or os.version:="6.5.0 build-15256468" or os.version:="6.5.0 build-15177306" or os.version:="6.5.0 build-15256549" or os.version:="6.5.0 build-16207673" or os.version:="6.5.0 build-16389870" or os.version:="6.5.0 build-16576879" or os.version:="6.5.0 build-16576891" or os.version:="6.5.0 build-16901156" or os.version:="6.5.0 build-17097218" or os.version:="6.5.0 build-17167537" or os.version:="6.7.0 build-8169922" or os.version:="6.7.0 build-8941472" or os.version:="6.7.0 build-9214924" or os.version:="6.7.0 build-9484548" or os.version:="6.7.0 build-10176752" or os.version:="6.7.0 build-10176879" or os.version:="6.7.0 build-10302608" or os.version:="6.7.0 build-10764712" or os.version:="6.7.0 build-11675023" or os.version:="6.7.0 build-13004448" or os.version:="6.7.0 build-12986307" or os.version:="6.7.0 build-13006603" or os.version:="6.7.0 build-13473784" or os.version:="6.7.0 build-13644319" or os.version:="6.7.0 build-13981272" or os.version:="6.7.0 build-14141615" or os.version:="6.7.0 build-14320388" or os.version:="6.7.0 build-15018017" or os.version:="6.7.0 build-15160134" or os.version:="6.7.0 build-15160138" or os.version:="6.7.0 build-15999342" or os.version:="6.7.0 build-15820472" or os.version:="6.7.0 build-16075168" or os.version:="6.7.0 build-16316930" or os.version:="6.7.0 build-16701467" or os.version:="6.7.0 build-16713306" or os.version:="6.7.0 build-16773714" or os.version:="6.7.0 build-17167699" or os.version:="6.7.0 build-17098360" or os.version:="6.7.0 build-17167734" or os.version:="7.0.0%" or os.version:="7.0.1 build-16850804" or os.version:="7.0.1 build-17119627" or os.version:="7.0.1 build-17168206" or os.version:="7.0.1 build-17325020")

Each ESXi asset returned in the query results should be checked if the OpenSLP service is enabled. If OpenSLP is enabled, then the asset is vulnerable to exploitation.

VMware ESXi prebuilt query is available in the Queries Library

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding potentially vulnerable VMware ESXi assets?

Get started
Learn more about runZero
Pearce Barry
Written by Pearce Barry

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.

Similar Content

November 9, 2023

How to find SysAid Help Desk instances

How to find SysAid Help Desk instances # On the evening of November 8th Microsoft Threat Intelligence announced that they had discovered attacks by a ransomware gang against the SysAid Help Desk software using a zero-day exploit (CVE-2023-47246). These attacks leveraged a …

Read More

November 1, 2023

How to find Apache ActiveMQ instances

How to find Apache ActiveMQ® instances # On October 25th the Apache team announced a vulnerability (CVE-2023-46604) in ActiveMQ that could lead to unauthenticated remote code execution. Shortly after the issue was disclosed exploits started to appear and the Rapid7 MDR team …

Read More

October 30, 2023

Finding NGINX Ingress Controllers with runZero

Today, three vulnerabilities in the NGINX Ingress Controller for Kubernetes were disclosed, as described in this article from The Hacker News. These vulnerabilities have CVSS scores ranging from 7.6 to 8.8; all of these scores are considered high. These vulnerabilities have …

Read More