VMware advises users with VMware ESXi servers to perform updates as soon as possible to counter the recent ESXiArgs ransomware and disable the OpenSLP service. In addition, it is confirmed that the attack is not a zero-day vulnerability.
VMware states in a response that the attack does not involve a zero-day vulnerability. In the statement, VMare indicates that it involves so-called End of General Support (EOGS) and or obsolete products with vulnerabilities already addressed.
More concretely, researchers already discovered, it specifically concerns VMware ESXi versions 7.x for build ESXi70U1c-17325551, ESXi versions 6.7.x for build ESXi670-202102401-SG and ESXi versions 6.5.x for build ESXi650-202102101-SG. Especially targeted are ESXi hypervisor versions 6.x to 6.7.
Advice to upgrade and disable OpenSPL
According to the virtualization and cloud specialist, patches and so-called VMware Security Advisories (VMSAs) have been available for the vulnerabilities of these specific versions for some time. VMware, therefore, urges users to update to the latest versions of VMware ESXi and/or VMware vSphere components as soon as possible.
It also urges users to disable the OpenSPL service. VMware ESXi versions ESXi 7.0 U2c and ESXi 8.0 GA released in 2021 already have this service disabled by default.
Global ransomware attack
Yesterday it was announced that since Feb. 3, thousands of VMware ESXi servers worldwide, mainly in Europe, the U.S. and Canada, have been attacked by the new ransomware variant ESXiArgs. The ransomware gains access to servers running the outdated and unpatched software via a so-called “heap overflow” in the standard upcoming Open SLP service. Very notable in the attack that the so-called Sosemanuk algorithm, among others, was used.
Tip: Global ransomware attack on thousands of VMware ESXi servers