The French Computer Emergency Response Team (CERT-FR) recommends applying the patch and disabling the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't been updated.
CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
It is also advised to scan unpatched systems for signs of compromise.
According to a Censys search, 2,400 VMware ESXi devices worldwide are currently detected as compromised. The ransomware encrypts files with .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions and creates .args files for each encrypted document.
BleepingComputer shared the technical details for the attack. In case you have been attacked, security researcher Enes Sonmez enes_dev has shared a VMware ESXi recovery guide, allowing many admins to rebuild their virtual machines and recover their data for free.
Validate if you are affected
Quickly install our open source tool cnspec:
Verify that slpd is not running
We quickly connect to the ESXi via vSphere API and select the ESXi server:
To verify, we simply enter the following MQL query:
Validate that all patches have been installed
To get access to the vulnerability database quickly login to the Mondoo Platform. Then use cnspec to quickly assess the missing patched for your ESXi Server:
Continuously assess VMware vCenter Server
The Mondoo Platform has full coverage for vCenter Server via the deployment in Minutes with our vCenter appliance, vCenter and ESXi Vulnerability Management as well as CIS VMware ESXi 7.0 Benchmark.
Don't let ESXiArgs ransomware attack your VMware ESXi servers! Take proactive measures and secure your systems with the power of Mondoo.
