The vulnerability used to infect ESXi servers, registered as CVE-221-21974, is caused by a Heap Based Buffer Overflow in the OpenSLP service. In this regard, even on December 8, 2022 (December 17, 1401), news of a security bug was published that warned about the activation of the OpenSLP service.
In February 2021 (Bahan 1400), when VMware released the security patch for this vulnerability, it still warned that hackers may be able to launch their attacks through a malicious agent accessing the same network segment through port 427. This vulnerability received a severity warning level of 8.8 out of 10 and is among critical vulnerabilities. A few months later, its Proof-of-Concept codes and instructions for use became available. However, the number of victims is still very high.
The reason for the large number of victims is due to factors beyond reach. For example, OVH, a French company that provides cloud hosting services, said it had not been able to install security patches on servers that its customers had installed.
Julian LevardOVH’s chief information security manager said that since ESXi operating system can only be installed on physical computer servers, so far they have tried several solutions to identify vulnerable servers so that, based on automation reports, they can detect the installation of ESXi by their customers; But due to not having access to the clients’ servers, they had limited initiative.
Meanwhile, the company has blocked access to port 427 to notify the administrator of vulnerable servers when it is identified.