VMware Issues Updated Fix For Critical ESXi Flaw

vmware

A previous fix for the critical remote code execution bug was “incomplete,” according to VMware.

VMware issued an updated fix for a critical-severity remote code execution flaw in its ESXi hypervisor products.

Wednesday’s VMware advisory said updated patch versions were available after it was discovered the previous patch, released Oct. 20, did not completely address the vulnerability. That’s because certain versions that were affected were not previously covered in the earlier update.

“Updated patch versions in the response matrix of section 3a after release of ESXi patches that completed the incomplete fix for CVE-2020-3992 on 2020-11-04,” said Oracle’s updated advisory.

The flaw exists in the OpenSLP feature of VMware ESXi. ESXi is a hypervisor that uses software to abstract processor, memory, storage and networking resources into multiple virtual machines (VMs). Each virtual machine runs its own operating system and applications. OpenSLP meanwhile is an open standard technology that allows systems to discover services available for use on the network.

The implementation of OpenSLP in ESXi has a use-after-free (UAF) issue, according to VMware. UAF flaws are related to the incorrect utilization of dynamic memory during a program’s operation; If  a program does not clear the pointer to the memory after freeing a memory location, an attacker can leverage this flaw.

In the case of this specific flaw, “a malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution,” the advisory said. Further details of the flaw are not yet available.

The flaw (CVE-2020-3992) has a CVSS score of 9.8 out of 10, making it critical.

While before the advisory said the flaw affects ESXi versions 6.5, 6.7 and 7.0; affected products have now been updated to include ESXi implementations on the VMware Cloud Foundation 3.x and 4.x.  VMware Cloud Foundation is the hybrid cloud platform for managing VMs and orchestrating containers, built on full-stack hyperconverged infrastructure (HCI) technology. ESXi software can be installed on Cloud Foundation servers.

While ESXi users can update to fixed versions ESXi70U1a-17119627 (for version 7), ESXi670-202011301-SG (for version 6.7) and ESXi650-202011401-SG (for version 6.5), a patch is still “pending” for affected VMware Cloud Foundation versions.

Lucas Leong (@_wmliang_) with Trend Micro’s Zero Day Initiative was credited with reporting the flaw. Threatpost reached out to Leong for further comment.

VMware’s October update also issued patches for important flaws (CVE-2020-3993, CVE-2020-3994, CVE-2020-3995 and CVE-2020-3981) as well as a moderate-severity vulnerability (CVE-2020-3982).

Earlier this year, a critical information-disclosure bug was disclosed in VMware’s Directory Service (vmdir). If exploited the flaw could have exposed the contents of entire corporate virtual infrastructures.

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles