CVE-2020-3992
Published: 20 October 2020
Summary
CVE-2020-3992 is a critical-severity Use After Free (CWE-416) vulnerability in Vmware Esxi. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-3992 is a use-after-free vulnerability (CWE-416) in the OpenSLP service as implemented in VMware ESXi. Affected releases include version 7.0 prior to ESXi_7.0.1-0.0.16850804, 6.7 prior to ESXi670-202010401-SG, and 6.5 prior to ESXi650-202010401-SG. The flaw carries a CVSS 3.1 base score of 9.8.
An unauthenticated attacker located on the management network and able to reach TCP/UDP port 427 can send crafted SLP packets that trigger the use-after-free condition, resulting in remote code execution with full control over the hypervisor.
VMware security advisory VMSA-2020-0023 and corresponding Zero Day Initiative reports ZDI-20-1377 and ZDI-20-1385 identify the issue and direct administrators to apply the listed ESXi updates that contain the corrected OpenSLP implementation. No public reports of in-the-wild exploitation appear in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-25257
Vulnerability details
OpenSLP as used in VMware ESXi (7.0 before ESXi_7.0.1-0.0.16850804, 6.7 before ESXi670-202010401-SG, 6.5 before ESXi650-202010401-SG) has a use-after-free issue. A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able…
more
to trigger a use-after-free in the OpenSLP service resulting in remote code execution.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the use-after-free flaw in OpenSLP.
Enforces boundary protection and traffic filtering so that only authorized management-network hosts can reach TCP/UDP 427.
Requires disabling or removing non-essential services such as the vulnerable OpenSLP listener when it is not required.