CVE-2020-3992 in Detail
According to the official description:
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
It should be noted that the previous patch VMware issues on October 20 didn’t completely fix the flaw. The reason is that specific versions that were affected weren’t addressed in the initial update.
The vulnerability was discovered in the OpenSLP feature of VMware ESXi. ESXi is a hypervisor that utilizes software to partition processor, memory, storage, and networking resources into multiple VMs (virtual machines). Each VM runs its own operating system and apps. As explained by VMware, “VMware ESXi effectively partitions hardware to consolidate applications and cut costs. It’s the industry leader for efficient architecture, setting the standard for reliability, performance, and support.”
What is OpenSLP? It is an open-standard protocol that enables systems to discover services that can be used on the network.
The CVE-2020-3992 vulnerability is caused by the implementation of OpenSLP in ESXi, causing a use-after-free (UAF) issue. UAF vulnerabilities typically stem from the incorrect utilization of dynamic memory during a program’s operation. More specifically, If a program does not clear the pointer to the memory after freeing a memory location, an attacker can exploit the bug.
CVE-2020-3992, in particular, can help a hacker with access to port 427 of the management network on an ESXi machine to trigger a user-after-free issue in OpenSLP. This could lead to remote code execution, VMware warned.
In May, the company addressed another severe remote code execution vulnerability in the VMware Cloud Director. Tracked as CVE-2020-3956, the flaw triggered code injection that allowed authenticated attackers to send malicious traffic to Cloud Director. This could then lead to arbitrary code execution.