CVE-2020-3992 — ESXi OpenSLP remote code execution vulnerability

OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.

NOTE: VMware issued a patch for the patch on 2020-11-04. The advisory URL — <https://www.vmware.com/security/advisories/VMSA-2020-0023.html&gt; — did not change.

Recent assessments:

bwatters-r7 at October 20, 2020 6:20pm UTC reported:

This is one of a set of vulnerabilities from the Zero Day Initiative affecting VMWare products. This is the most significant and most valuable to attackers in my opinion as this affects ESXi servers which are difficult and sometimes impossible to patch, depending on the age and type of hardware. VMWare ESXi updates can be done through a VMWare vCenter server, but as those are not present in all environments, a complex, manual update may be necessary, assuming the update is compatible with the hardware. The lack of legacy support and possible manual nature of VMWare ESXi’s update process will likely increase the time-availability of this vulnerability for attackers, even in enterprise environments.
The exploit target is the OpenSLP service on port 427, open and running in a default configuration. Here is a UDP nmap scan of an affected server:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-20 13:05 CDT
Nmap scan report for server.redacted (xxx.xxx.xxx.xxx)
Host is up (0.00055s latency).
Not shown: 998 open|filtered ports
PORT    STATE  SERVICE
161/udp closed snmp
427/udp open   svrloc

Nmap done: 2 IP addresses (1 host up) scanned in 10.32 seconds

The service is vulnerable to a specially crafted packet that can cause a use-after-free allowing arbitrary code execution. It is important to note that in the VMWare advisory here (<https://www.vmware.com/security/advisories/VMSA-2020-0023.html&gt;), they include impacted products other than ESXi, but those are for other vulnerabilities that are less severe. A good breakdown of the vulnerabilities is here: <https://www.cybersecurity-help.cz/vdb/SB2020102044&gt;

I have not yet seen a PoC for this vulnerability, so it is difficult to comment on the exact difficulty for the exploit, but given the nature of ESXi servers as often critical infrastructure with access to login servers like Domain Controllers, their high uptime requirements, specialty operating system, and difficulty patching, even if the exploit were highly complex, it would still be worth it for a given attacker.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 0