DETECTION OVERVIEW

VMware ESXi OpenSLP Exploit Attempt - CVE-2021-21974

Risk Factors

An attacker with access to an ESXi network segment and port 427 on the target ESXi device can exploit this OpenSLP vulnerability if the affected service is running and unpatched. A successful exploitation attempt can enable an attacker to gain control of the ESXi Hypervisor.

Kill Chain

Exploitation

Risk Score

Attack Background

The Service Location Protocol (SLP) is a service directory protocol that enables network devices to find the location and configuration of networked services on a network. VMware ESXi includes a custom implementation of SLP called OpenSLP, which has a vulnerability in how directory agent advertisement requests are handled. In an exploit attempt, an attacker creates a malicious request. The request exceeds a specified length and contains a known malicious value. OpenSLP processes the malicious request, resulting in a heap overflow. The heap overflow can lead to remote command execution (RCE) with unrestricted privileges on the underlying operating system.

Mitigation Options

Install relevant patches for affected versions
If unable to patch, disable the SLP service on VMware ESXi by following the steps in KB76372 (see the link below)

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases