The importance of keeping up to date with patching on your company’s network systems and applications cannot be understated. This applies especially to any internet-facing systems, as the sheer volume of attacks that these systems face increases significantly. Recently it was discovered that a previously identified vulnerability with ESXi hypervisors (CVE-2021-21974) is now being utilized for a new purpose—to attack systems on which this software resides (if they have not been patched to address this concern) in order to launch ransomware attacks against these systems. This can result in these machines becoming inaccessible and, depending on permissions within your network, potentially exposing other system applications to the same fate.
If you are reading this and utilize ESXi software, we strongly recommend having your IT staff or support vendor review all of your installed ESXi software versions to ensure that your systems are not vulnerable to this issue. All it takes is one instance of a vulnerable version being installed that is forgotten or believed to be de-commissioned or powered off to compromise your entire environment. It is also advisable to have a discussion and verify whether any of your virtual hosts are internet-facing and could potentially be exposed to unnecessary risks. Strong consideration should be given to establishing a formal schedule (at least quarterly) to review software such as ESXi and the vCenter appliance, which are typically patched through manual methods rather than automated patching solutions, to ensure that they are being regularly reviewed and updated to address all known security issues. Lastly, backups should be reviewed to ensure that all critical systems are backed up and that security controls exist, either through physical media or to ensure that air gaps exist, to protect your backups from being compromised as well.
Below is a link to the original CVE vulnerability database post and also a current recommended baseline version to address this vulnerability and all other security vulnerabilities (at the time of this post). Please feel free to contact S.R. Snodgrass to discuss any questions you may have.
CVE – CVE-2021-21974 (mitre.org)
ESXI 7.0 Update 3i (ESXi_7.0.3-0.65.20842708)
Note: The CVE post linked above includes versions for the ESXI hypervisor 6.5 and 6.7; however, these have reached their end of life as of October 2022, and we cannot recommend installing any of these versions since they no longer receive security patches.