A critical vulnerability has been detected in VMware ESXi. Virtual machine disks can be encrypted, especially with the vulnerability used by ransomware attack groups.

While the vulnerabilities can be tracked with CVE-2019-5544 and CVE-2020-3992, the vulnerability is thought to be first used by the group that distributed RansomExx ransomware in October.

SLP Protocol in ESXi

It is thought that the weakness is caused by the SLP protocol in ESXi. The determinations made so far may cause authority over ESXi by using this vulnerability even if there is no access to vcenter. Especially considering that common storage units are used in ESXi structures, there is a danger that all VMs in the virtualization infrastructure will be encrypted by attackers.

Although it is seen that this method was used in RansomExx attacks, it is thought that the same method was used in the Babuk Locker ransomware attack that appeared last month. In addition, the cyber security company informed KELA that encrypted disks were sold in illegal forums last year.

Update VMware

VMware has released some updates regarding the vulnerability. The measures to be taken to prevent the attack are listed in the link below. It suggests closing VMware SLP.

https://kb.vmware.com/s/article/76372

Considering companies and institutions using VMware, we recommend that the update and recommended security steps be done without delay.