VMware has released a new security advisory VMSA-2019-0022 (VMware ESXi and Horizon DaaS updates address OpenSLP remote code execution vulnerability). Patches and workarounds are available to address this vulnerability in affected VMware products.
This advisory documents the remediation of one issue, rated with a severity of critical. VMware ESXi and Horizon DaaS use an OpenSLP version which has a heap overwrite issue. Successful exploitation of this issue may allow attackers with network access to port 427 on an ESXI host or on any Horizon DaaS management appliance to overwrite the heap of the OpenSLP service resulting in remote code execution.
The identifier CVE-2019-5544 was assigned to this vulnerability.
Affected products and resolutions:
- ESXi 6.7 – apply patch ESXi670-201912001 or apply the workaround
- ESXi 6.5 – apply patch ESXi650-201912001 or apply the workaround
- ESXi 6.0 – apply patch ESXi600-201912001 or apply the workaround
- Horizon DaaS – patch pending, apply the workaround
VMSA-2019-0022 – ESXi 6.x workaround
The workaround is detailed in VMware KB article #76372 (Workaround for OpenSLP security vulnerability in ESXi 6.x). This workaround is meant to be a temporary solution only and customers are advised to deploy the patches documented above.
- Stop the SLP service on the ESXi host (/etc/init.d/slpd stop)
- Disable SLP service (esxcli network firewall ruleset set -r CIMSLP -e 0)
- Make the change persistent across reboots (chkconfig slpd off)
VMSA-2019-0022 – Horizon DaaS workaround
The workaround is detailed in VMware KB article #76411 (Workaround for OpenSLP security vulnerability in Horizon DaaS appliances). This workaround is meant to be a temporary solution only – permanent fixes will be released as soon as they are available.
- Download the workaround for the install version from the MyVMware portal (e.g. Horizon DaaS 8.0.1 OpenSLP Hotfix).
- Follow instructions provided in the Steps to follow section of the Readme.txt to apply the workaround to all management appliances in the DaaS deployments.
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.