{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-051.pdf"
    },
    "title": "VMware ESXi OpenSLP - Remote Code Execution Vulnerability",
    "serial_number": "2020-051",
    "publish_date": "21-10-2020 09:44:00",
    "description": "On the 20th of October 2020, VMware released a security advisory for a vulnerability affecting ESXi OpenSLP, identified as CVE-2020-3992. OpenSLP as used in VMware ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the *critical severity range with a maximum CVSSv3 base score of 9.8 out of 10.",
    "url_title": "2020-051",
    "content_markdown": "---\ntitle: ' VMware ESXi OpenSLP -- Remote\u00a0Code\u00a0Execution\u00a0Vulnerability'\nversion: '1.0'\nnumber: '2020-051'\ndate: 'October 21, 2020'\n---\n\n# Summary\n\nOn the 20th of October 2020, VMware released a security advisory for a vulnerability affecting ESXi OpenSLP, identified as CVE-2020-3992 [1]. OpenSLP as used in VMware ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the **critical severity** range with a maximum CVSSv3 base score of 9.8 out of 10.\n\n# Technical Details\n\nA malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. The specific flaw exists within the processing of SLP messages. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the SLP daemon. Authentication is not required to exploit this vulnerability.\n\nA full description of the vulnerability is available on Zero Day Initiative analysis [2].\n\n# Products Affected\n\n* ESXi 7.0 before ESXi_7.0.1-0.0.16850804\n* ESXi 6.7 before ESXi670-202010401-SG\n* ESXi 6.5 before ESXi650-202010401-SG\n\n# Recommendations\n\nTo remediate CVE-2020-3992 apply the patches listed in the _Fixed Version_ column of the _Response Matrix_ found in the VMware advisory [1]. It is strongly advised to apply the security update from VMware to fix this vulnerability as soon as possible.\n\n## Workarounds\n\nVMware has identified an workarounds for this vulnerability, the KB76372 [3].\n\n# References\n\n[1] <https://www.vmware.com/security/advisories/VMSA-2020-0023.html>\n\n[2] <https://www.zerodayinitiative.com/advisories/ZDI-20-1269/>\n\n[3] <https://kb.vmware.com/s/article/76372>\n",
    "content_html": "<h2 id=\"summary\">Summary</h2><p>On the 20th of October 2020, VMware released a security advisory for a vulnerability affecting ESXi OpenSLP, identified as CVE-2020-3992 [1]. OpenSLP as used in VMware ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the <strong>critical severity</strong> range with a maximum CVSSv3 base score of 9.8 out of 10.</p><h2 id=\"technical-details\">Technical Details</h2><p>A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution. The specific flaw exists within the processing of SLP messages. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the SLP daemon. Authentication is not required to exploit this vulnerability.</p><p>A full description of the vulnerability is available on Zero Day Initiative analysis [2].</p><h2 id=\"products-affected\">Products Affected</h2><ul><li>ESXi 7.0 before ESXi_7.0.1-0.0.16850804</li><li>ESXi 6.7 before ESXi670-202010401-SG</li><li>ESXi 6.5 before ESXi650-202010401-SG</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>To remediate CVE-2020-3992 apply the patches listed in the <em>Fixed Version</em> column of the <em>Response Matrix</em> found in the VMware advisory [1]. It is strongly advised to apply the security update from VMware to fix this vulnerability as soon as possible.</p><h3 id=\"workarounds\">Workarounds</h3><p>VMware has identified an workarounds for this vulnerability, the KB76372 [3].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.vmware.com/security/advisories/VMSA-2020-0023.html\">https://www.vmware.com/security/advisories/VMSA-2020-0023.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.zerodayinitiative.com/advisories/ZDI-20-1269/\">https://www.zerodayinitiative.com/advisories/ZDI-20-1269/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://kb.vmware.com/s/article/76372\">https://kb.vmware.com/s/article/76372</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}