VMware closes RCE vulnerability in ESXi and Horizon

VMware RCE vulnerability in ESXi
Written by Emma Davis

VMware developers have released patches for vulnerabilities, which became known at the hacker tournament Tianfu Cup. VMware has closed the RCE vulnerability in ESXi and Horizon.

Participants in the November competition hacked the ESXi hardware hypervisor, having the opportunity to execute third-party code on the target system.

The exploit brought ethical hackers $200 thousand, which was the largest prize in the competition. Information about an existing error was immediately passed on to VMware representatives. Later, the vulnerability received the identifier CVE-2019-5544 with a critical assessment of the threat level.

OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware received evaluation of severity of this issue as critical, with a maximum CVSSv3 base score of 9.8.”, — write Vmware developers.

The developers found out that the problem concerns ESXi systems versions 6.0, 6.5 and 6.7, as well as the Horizon 8.x platform, which is used to launch DaaS solutions (Desktop-as-a-Service, creating virtual desktops). Technically, the threat turned out to be related to the OpenSLP module. The free implementation of the service discovery protocol is used in these products to find resources in corporate networks.

According to VMware representatives, the vulnerability belongs to the heap buffer overflow class.

An attacker with access to port 427 on the ESXi host or any Horizon DaaS control device can overwrite the OpenSLP hip, which will lead to remote code execution”, — the developers warn.

Currently, developers have published patches for all versions of ESXi. Horizon administrators offered a temporary solution – the vendor claims that it does not affect the technical capabilities of the platform, but recommends not postponing the update when the patch will be published.

ESXi users who are unable to quickly install the patch can also insure themselves against attacks by disabling SLP functionality. After that, clients that connect to servers through port 427 will not be able to use the corresponding service.

The first Tianfu Cup tournament was held in 2018, shortly after the ban on Chinese hackers from participating in international events. Prior to this, teams from China steadily occupied leadership positions in professional tournaments – for example, at Pwn2Own-2017, they took five of seven awards, including a record $105,000 for hacking a VMware virtual machine.

Also recall that recently ethical hackers Decoder and Chris Danieli discovered in Dropbox for Windows a vulnerability that could allow attackers to elevate their privileges to SYSTEM and already created a PoC exploit for it.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply