Warning of Zero-Day Vulnerability in VMware ESXi System
The National Cyber Security Centre SK-CERT warns of a zero-day vulnerability in VMware ESXi system, which can be exploited using valid ESXi credentials. The vulnerability allows code execution in virtual servers under a privileged user without knowledge of credentials to virtual servers.
In order to exploit the vulnerability, access to the ESXi administrative interface is required and thus CVSS score achieves only 3.9; nevertheless, this vulnerability is being actively exploited by the UNC3386 group. The situation is worsened by the fact that the VMWare virtualization platform is a very widespread in Slovakia and not all organizations pay attention to its regular update.
The UNC3386 hacking group, allegedly sponsored by the Chinese government, has been exploiting this vulnerability for a long time to install malicious code used for espionage. It is therefore advisable to check virtual servers for possible indicators of compromise and the presence of malware.
The vulnerability is tracked as CVE-2023-20867. This vulnerability has a negative impact on the system confidentiality and integrity, as a fully compromised EXSi host can force VMware Tools to fail to authenticate host-to-guest operations.
Recommendations
- update all components of the VMWare virtualization platform
- check virtual servers for presence of malicious code
- in the event of a cybersecurity incident detection, report the incident to the National Cyber Security Centre SK-CERT at [email protected].
Sources
https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass
« Späť na zoznam