Juniper Threat Lab has discovered two active vulnerabilities being exploited in the wild. CVE-2019-5544 and CVE-2020-3992, both vulnerabilities belonging to ESXI's OpenSLP service, have been used since 2019 to implant backdoors in VMware ESXi virtualization servers.
VMware ESXi is an enterprise-class hypervisor developed by VMware. This is a bare metal hypervisor. That is, it runs directly on your system hardware without the need for an operating system. You can run multiple virtual machines on a single physical hardware.
While investigating a compromised host, JTL uncovered a simple but powerful backdoor Python script, but with limited log storage on the server, JTL Labs had no idea how the server was compromised. It is unknown whether
"Although the Python scripts used in this attack are cross-platform and can be used on Linux or other UNIX-like systems with little or no modification, there are some indications that this attack was designed specifically for ESXi. I have. The file name and location /store/packages/vmtools.py were chosen to give little suspicion to the virtualization host. This file begins with a VMware copyright that matches a publicly available sample and is extracted letter by letter from an existing Python file provided by VMware." JTL posted.
No comments:
Post a Comment