CVE-2021-21974
8.8 HIGH
📋 TL;DR
CVE-2021-21974 is a heap overflow vulnerability in OpenSLP service used by VMware ESXi. It allows attackers on the same network segment to execute arbitrary code remotely via port 427. This affects ESXi hypervisors running vulnerable versions.
💻 Affected Systems
Products:
- VMware ESXi
Versions: ESXi 7.0 before ESXi70U1c-17325551, ESXi 6.7 before ESXi670-202102401-SG, ESXi 6.5 before ESXi650-202102101-SG
Operating Systems: VMware ESXi
Default Config Vulnerable:
⚠️ Yes
Notes: OpenSLP service runs on port 427 by default. Attackers must be on same network segment as ESXi host.
📦 What is this software?
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
Esxi by Vmware
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of ESXi host leading to full control of virtual infrastructure, data exfiltration, ransomware deployment, or lateral movement to other systems.
Likely Case
Remote code execution on ESXi host allowing installation of malware, credential theft, or disruption of virtual machines.
If Mitigated
Limited impact due to network segmentation, firewall rules blocking port 427, or disabled OpenSLP service.
🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Exploit code is publicly available and requires network access to port 427. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ESXi70U1c-17325551, ESXi670-202102401-SG, ESXi650-202102101-SG
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Restart Required: Yes
Instructions:
1. Download appropriate patch from VMware portal. 2. Place host in maintenance mode. 3. Apply patch via vSphere Client or CLI. 4. Reboot host. 5. Verify patch installation.
🔧 Temporary Workarounds
Disable OpenSLP Service
linuxDisables the vulnerable OpenSLP service to prevent exploitation.
esxcli system slp stats set --enable-slp=false
/etc/init.d/slpd stop
chkconfig slpd off
Block Port 427 with Firewall
linuxBlocks network access to vulnerable OpenSLP service.
esxcli network firewall ruleset set --ruleset-id=slp --enabled=false
esxcli network firewall refresh
🧯 If You Can't Patch
- Segment ESXi hosts on isolated network VLANs with strict access controls.
- Implement network firewall rules to block all traffic to port 427 from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check ESXi version with 'esxcli system version get' and compare against patched versions. Verify OpenSLP service status with 'esxcli system slp stats get'.Check Version:
esxcli system version getVerify Fix Applied:
Confirm version is patched with 'esxcli system version get'. Verify OpenSLP service is disabled or port 427 is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual connections to port 427 in /var/log/vmware/hostd.log
- Crash or restart of slpd service in system logs
- Suspicious process creation from slpd service
Network Indicators:
- Unusual traffic patterns to port 427/TCP
- Malformed SLP packets from internal sources
- Connection attempts to ESXi port 427 from unexpected IPs
SIEM Query:
source="esxi_host" dest_port=427 AND (payload_size>normal OR malformed_packet_detected)🔗 References
- http://packetstormsecurity.com/files/162957/VMware-ESXi-OpenSLP-Heap-Overflow.html
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- https://www.zerodayinitiative.com/advisories/ZDI-21-250/
- http://packetstormsecurity.com/files/162957/VMware-ESXi-OpenSLP-Heap-Overflow.html
- https://www.vmware.com/security/advisories/VMSA-2021-0002.html
- https://www.zerodayinitiative.com/advisories/ZDI-21-250/
