In October 2020, VMware published update VMSA-2020-0023 that claimed to fix the CVE-2020-3992 vulnerability in OpenSLP service in ESXi. OpenSLP is used for service location. This component has a use-after-free issue, that could allow a malicious person who has access to port 427 on an ESXi machine remote code execution. The vulnerability was rated with a Critical severity and a CVS score of 9.8 out of 10.
Yesterday, the description of VMSA-2020-0023 was updated with the following line of text for the CVE-2020-3992 vulnerability:
IMPORTANT: The ESXi patches released on October 20, 2020 did not address CVE-2020-3992 completely, see section (3a) Notes for an update.
VMware has released new patches for ESXi:
For ESXi 7.0, VMware released version ESXi70U1a-17119627. This update completely addresses CVE-2020-3992. This version replaces version ESXi_7.0.1-0.0.16850804 that was previously described as the fix.
For ESXi 6.7, VMware released version ESXi670-202011301-SG. This update completely addresses CVE-2020-3992. This version replaces version ESXi670-202010401-SG that was previously described as the fix.
For ESXi 6.5, VMware released version ESXi650-202011401-SG. This update completely addresses CVE-2020-3992. This version replaces version ESXi650-202010401-SG that was previously described as the fix.
There are currently no updated patches for VMware Cloud Foundation (ESXi) version 3.x and 4.x.
The workarounds described in KB76372 still apply. The impact of the vulnerability can be mitigated by stopping and disabling the SLP service, when it’s not in use. Use the following lines to do so:
esxcli network firewall ruleset set -r CIMSLP -e 0
chkconfig slpd off
Call to Action
Please install the updates for the version(s) of ESXi in use within your organization, as mentioned above and in the advisory for VMSA-2020-0023, even if you have deployed the October update already. These previous versions are also mentioned above.
A Remote Code Execution (RCE) vulnerability on the hypervisor layer may compromise the integrity of virtual Domain Controllers running on vulnerable hosts, affecting the Active Directory database and Group Policy settings, including replicating these changes as authorized changes to all other Domain Controllers, including physical ones.
When Active Directory’s integrity is gone, it’s Game Over for 9/10 organizations. Please update.