Finding VMware ESXi assets

Popular hypervisor ESXi has been in the news recently due to fresh targeting by a new strain of ransomware. Known as ESXiArgs, this ransomware leverages a 2-year old heap overflow issue in the OpenSLP service that can be leveraged to gain remote code execution on exploitable targets (CVE-2021-21974). Many vulnerable public-facing ESXi servers have already been affected by this malware (currently over 1,900 via Censys search results).

What is the impact?

Targets of this new ransomware campaign are older ESXi servers running certain versions of 6.5, 6.7, or 7 releases and also have the OpenSLP service enabled (it has not been enabled by default in ESXi releases since 2021). Upon successful exploitation of CVE-2021-21974, the ESXiArgs ransomware will encrypt a number of file types on the target system, including VM-related files with extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram. Ransom notes are saved as HTML files on compromised systems for admins and users to subsequently discover. While some of these ransom notes claim to have stolen data from vulnerable targets, no data exfiltration has been observed at this time.

Are updates available?

VMware made patches available when the OpenSLP heap-overflow vulnerability was initially reported in 2021. The following ESXi releases have been patched against this attack vector currently being exploited by the ESXiArgs campaign:

• ESXi version 7+ (ESXi70U1c-17325551 and later)
• ESXi version 6.7+ (ESXi670-202102401-SG and later)
• ESXi version 6.5+ (ESXi650-202102101-SG and later)

VMware also offers patched releases for Cloud Foundation (ESXi), which includes an ESXi component:

• Cloud Foundation (ESXi) version 4.2+
• Patching instructions for Cloud Foundation (ESXi) version 3.x can be found here

Patching (and also ensuring that your ESXi servers are running a supported, not end-of-life/end-of-support version) is the best course of action. If patching is not a near-term option, VMware has a recommended mitigation via disabling the OpenSLP service.

How do I find potentially vulnerable VMware ESXi assets with runZero?

From the Asset Inventory, use the following pre-built query to locate ESXi assets which may need remediation:

os.product:"ESX" and (os.version:="1.%" or os.version:="2.%" or os.version:="3.%" or os.version:="4.%" or os.version:="5.%" or os.version:="6.0%" or os.version:="6.5.0 build-4564106" or os.version:="6.5.0 build-4887370" or os.version:="6.5.0 build-5146843" or os.version:="6.5.0 build-5146846" or os.version:="6.5.0 build-5224529" or os.version:="6.5.0 build-5310538" or os.version:="6.5.0 build-5969300" or os.version:="6.5.0 build-5969303" or os.version:="6.5.0 build-6765664" or os.version:="6.5.0 build-7273056" or os.version:="6.5.0 build-7388607" or os.version:="6.5.0 build-7967591" or os.version:="6.5.0 build-8285314" or os.version:="6.5.0 build-8294253" or os.version:="6.5.0 build-8935087" or os.version:="6.5.0 build-9298722" or os.version:="6.5.0 build-10175896" or os.version:="6.5.0 build-10390116" or os.version:="6.5.0 build-10719125" or os.version:="6.5.0 build-10868328" or os.version:="6.5.0 build-10884925" or os.version:="6.5.0 build-11925212" or os.version:="6.5.0 build-13004031" or os.version:="6.5.0 build-13635690" or os.version:="6.5.0 build-13873656" or os.version:="6.5.0 build-13932383" or os.version:="6.5.0 build-14320405" or os.version:="6.5.0 build-14874964" or os.version:="6.5.0 build-14990892" or os.version:="6.5.0 build-15256468" or os.version:="6.5.0 build-15177306" or os.version:="6.5.0 build-15256549" or os.version:="6.5.0 build-16207673" or os.version:="6.5.0 build-16389870" or os.version:="6.5.0 build-16576879" or os.version:="6.5.0 build-16576891" or os.version:="6.5.0 build-16901156" or os.version:="6.5.0 build-17097218" or os.version:="6.5.0 build-17167537" or os.version:="6.7.0 build-8169922" or os.version:="6.7.0 build-8941472" or os.version:="6.7.0 build-9214924" or os.version:="6.7.0 build-9484548" or os.version:="6.7.0 build-10176752" or os.version:="6.7.0 build-10176879" or os.version:="6.7.0 build-10302608" or os.version:="6.7.0 build-10764712" or os.version:="6.7.0 build-11675023" or os.version:="6.7.0 build-13004448" or os.version:="6.7.0 build-12986307" or os.version:="6.7.0 build-13006603" or os.version:="6.7.0 build-13473784" or os.version:="6.7.0 build-13644319" or os.version:="6.7.0 build-13981272" or os.version:="6.7.0 build-14141615" or os.version:="6.7.0 build-14320388" or os.version:="6.7.0 build-15018017" or os.version:="6.7.0 build-15160134" or os.version:="6.7.0 build-15160138" or os.version:="6.7.0 build-15999342" or os.version:="6.7.0 build-15820472" or os.version:="6.7.0 build-16075168" or os.version:="6.7.0 build-16316930" or os.version:="6.7.0 build-16701467" or os.version:="6.7.0 build-16713306" or os.version:="6.7.0 build-16773714" or os.version:="6.7.0 build-17167699" or os.version:="6.7.0 build-17098360" or os.version:="6.7.0 build-17167734" or os.version:="7.0.0%" or os.version:="7.0.1 build-16850804" or os.version:="7.0.1 build-17119627" or os.version:="7.0.1 build-17168206" or os.version:="7.0.1 build-17325020")

Each ESXi asset returned in the query results should be checked if the OpenSLP service is enabled. If OpenSLP is enabled, then the asset is vulnerable to exploitation.

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding potentially vulnerable VMware ESXi assets?

Get started