CVE-2020-3992
9.8 CRITICAL
📋 TL;DR
This vulnerability allows a malicious actor on the management network to exploit a use-after-free flaw in OpenSLP service on VMware ESXi, potentially leading to remote code execution. It affects VMware ESXi versions 7.0, 6.7, and 6.5 with specific vulnerable builds. Attackers need access to port 427 on the ESXi machine.
💻 Affected Systems
Products:
- VMware ESXi
Versions: ESXi 7.0 before ESXi_7.0.1-0.0.16850804, ESXi 6.7 before ESXi670-202010401-SG, ESXi 6.5 before ESXi650-202010401-SG
Operating Systems: VMware ESXi
Default Config Vulnerable:
⚠️ Yes
Notes: OpenSLP service runs on port 427 by default. Only accessible from management network.
📦 What is this software?
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root privileges on ESXi host, potentially leading to complete virtualization environment takeover.
Likely Case
Remote code execution on ESXi host allowing attacker to deploy malware, exfiltrate data, or pivot to other systems.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized access to port 427.
🌐 Internet-Facing: LOW (ESXi management interfaces should not be internet-facing, but misconfigurations could expose them)
🏢 Internal Only: HIGH (Management network access provides attack vector for internal threats)
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Exploit requires network access to port 427 but no authentication. Multiple advisories and PoCs exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ESXi_7.0.1-0.0.16850804, ESXi670-202010401-SG, ESXi650-202010401-SG
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0023.html
Restart Required: Yes
Instructions:
1. Download appropriate patch from VMware portal. 2. Put host in maintenance mode. 3. Apply patch via vSphere Client or CLI. 4. Reboot host. 5. Verify patch installation.
🔧 Temporary Workarounds
Disable OpenSLP Service
linuxTemporarily disable OpenSLP service to prevent exploitation
esxcli system slp stats set --enable=false
Block Port 427
linuxBlock access to port 427 at network firewall
iptables -A INPUT -p tcp --dport 427 -j DROP
iptables -A INPUT -p udp --dport 427 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ESXi management network
- Apply firewall rules to restrict access to port 427 only from trusted management systems
🔍 How to Verify
Check if Vulnerable:
Check ESXi version: esxcli system version get. Compare against vulnerable versions listed in advisory.Check Version:
esxcli system version getVerify Fix Applied:
Verify patch installation: esxcli software vib list | grep -i openslp. Check version matches patched versions.📡 Detection & Monitoring
Log Indicators:
- Unusual connections to port 427
- OpenSLP service crashes or restarts
- Suspicious process creation from slpd
Network Indicators:
- Unexpected traffic to port 427 from non-management systems
- Malformed SLP packets
SIEM Query:
source="ESXi" AND (port=427 OR process="slpd") AND (action="deny" OR action="block" OR severity="high")🔗 References
- https://www.vmware.com/security/advisories/VMSA-2020-0023.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-1377/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1385/
- https://www.vmware.com/security/advisories/VMSA-2020-0023.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-1377/
- https://www.zerodayinitiative.com/advisories/ZDI-20-1385/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3992
