Protect Your VMware ESXi Servers from ESXiArgs Ransomware with CVE-2021-21974 Patch

VMware ESXi servers have been targeted by a new ransomware called ESXiArgs. The attackers are exploiting a two-year-old vulnerability, CVE-2021-21974, in the OpenSLP service. The vulnerability is caused by a heap overflow issue and can be exploited by unauthenticated actors. ESXi servers in versions 6.x and prior to 6.7 are the current target. VMware confirmed that this attack exploits older ESXi flaws and not a zero-day vulnerability.

Mondoo_graphics_Assess if your VMware ESXi server-01-1

The French Computer Emergency Response Team (CERT-FR) recommends applying the patch and disabling the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't been updated.

CVE-2021-21974 affects the following systems:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

It is also advised to scan unpatched systems for signs of compromise.

According to a Censys search, 2,400 VMware ESXi devices worldwide are currently detected as compromised. The ransomware encrypts files with .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions and creates .args files for each encrypted document.

BleepingComputer shared the technical details for the attack. In case you have been attacked, security researcher Enes Sonmez enes_dev has shared a VMware ESXi recovery guide, allowing many admins to rebuild their virtual machines and recover their data for free.

Validate if you are affected

Quickly install our open source tool cnspec:

bash -c "$(curl -sSL https://install.mondoo.com/sh)"

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

Verify that slpd is not running

We quickly connect to the ESXi via vSphere API and select the ESXi server:

cnspec shell vsphere user@domain.local@vsphere-ip --ask-pass

To verify, we simply enter the following MQL query:

vsphere.host.services.none(key == "slpd" && running == true)

Validate that all patches have been installed

To get access to the vulnerability database quickly login to the Mondoo Platform. Then use cnspec to quickly assess the missing patched for your ESXi Server:

cnspec vuln vsphere user@domain.local@vsphere-ip --ask-pass

Continuously assess VMware vCenter Server

The Mondoo Platform has full coverage for vCenter Server via the deployment in Minutes with our vCenter appliance, vCenter and ESXi Vulnerability Management as well as CIS VMware ESXi 7.0 Benchmark.

Don't let ESXiArgs ransomware attack your VMware ESXi servers! Take proactive measures and secure your systems with the power of Mondoo. Sign up for a free account today to easily validate your systems and continuously assess vulnerabilities with the latest security updates. Or book a demo with us to see how Mondoo can revolutionize your cybersecurity strategy. Don't wait until it's too late, protect your systems now with Mondoo.

Christoph Hartmann

Christoph Hartmann, co-founder and CTO at Mondoo, wants to make the world more secure. He’s long been a leader in security engineering and DevOps, creating widely adopted solutions like Dev-Sec.io and InSpec. For fun, he builds everything from custom operating systems to autonomous Lego Mindstorm robots.

You might also like

Mondoo May 2024 Release Highlights
Mondoo April 2024 Release Highlights
Exploring the Latest Security Features in Ubuntu 24.04