OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFedora Project Fedora
OSFedoraproject3031Openslp
APPOpenslp≤ 2.0.0Red Hat Enterprise Linux Desktop
OSRedhat6.07.0Red Hat Enterprise Linux For IBM Z Systems
OSRedhat6.0_s390x7.0_s390xRed Hat Enterprise Linux For IBM Z Systems Eus
OSRedhat7.7_s390xRed Hat Enterprise Linux For Power Big Endian
OSRedhat6.0_ppc647.0_ppc64Red Hat Enterprise Linux For Power Big Endian Eus
OSRedhat7.7_ppc64Red Hat Enterprise Linux For Power Little Endian
OSRedhat7.0_ppc64leRed Hat Enterprise Linux For Power Little Endian Eus
OSRedhat7.7_ppc64leRed Hat Enterprise Linux Server
OSRedhat6.07.0Red Hat Enterprise Linux Server Aus
OSRedhat7.7Red Hat Enterprise Linux Server Eus
OSRedhat7.7Red Hat Enterprise Linux Server Tus
OSRedhat7.7Red Hat Enterprise Linux Workstation
OSRedhat6.07.0VMware ESXi
OSVmware6.06.56.7VMware Horizon Daas
APPVmware8.0.0 – 9.0.0.0 (bez)
CISA KEV — detailsi
- Vendori
- VMware ↗
- Producti
- VMware ESXi and Horizon DaaS
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
VMware ESXi and Horizon Desktop as a Service (DaaS) OpenSLP contains a heap-based buffer overflow vulnerability that allows an attacker with network access to port 427 to overwrite the heap of the OpenSLP service to perform remote code execution.
Related vulnerabilities
VMware ESXi/Workstation: TOCTOU umożliwia ucieczkę z VM przez VMX process
PHP CGI argument injection – RCE na Windows przez mechanizm Best-Fit
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox