On February 3, French Computer Emergency Response Team (CERT-FR) reported the exploitation of a 2-year-old vulnerability (CVE-2021-21974) that exists on unpatched ESXi servers. Attackers were able to successfully exploit and launch ransomware attacks on over 3,800 servers, successfully encrypting the data on the machines. While the defender community is combating the attacks with recovery tools and mitigation guidance, attackers are evolving their methods to prevent recovery completely.
We suggest our customers to prioritize the remediation of CVE-2021-21974 in their environments to reduce risk from the ongoing attacker activity. We want to share guidance on doing this effectively with ServiceNow Vulnerability Response Workspaces.
Create a Watch Topic
To know the impact of this vulnerability in your organization, you can create a watch topic in Vulnerability Manager Workspace with the criteria shown below and identify the vulnerabilities and impacted configuration items.
If you are using Qualys or Tenable integration with ServiceNow Vulnerability Response, use dot-walking to Vulnerability.Third-Party Vulnerability Entry.ID in the watch topic condition builder. Below are the Qualys IDs and Tenable Plugins that correspond to CVE-2021-21974.
Qualys - QID-216258, QID-216257, QID-216256, QID-11699
Tenable – TEN-146827
If you are using multiple scanners, use the OR operator to identify vulnerabilities from across scanners.
Assess the watch topic findings
Once the watch topic is populated, check the remediation progress on the watch topic header to understand if there are open vulnerabilities to be remediated. Explore the overview, impacted CIs, distinct vulnerabilities and vulnerable items tabs and assess the impact of the exposure.
Create a Remediation Effort and assign Remediation Tasks.
Any active vulnerabilities should be immediately prioritized for remediation. You may create a Remediation Effort from the watch topic for the open vulnerabilities and assign remediation tasks to your IT teams managing the impacted servers with exploitable software.
IT Remediation Workspace
Once remediation tasks are created, IT owners can find the Remediation Tasks in their queue in IT Remediation Workspace. IT owners can create change requests from remediation tasks to schedule remediation of the vulnerabilities by patching servers to the latest version of VMware ESXi software.
If patching could not be prioritized for any reason, the risk could be mitigated by disabling Service Location Protocol (SLP) service in ESXi hypervisors and ensuring the hypervisors are not exposed to the internet.
Once the risk is mitigated, IT owners can request an exception for the remediation task to defer patching to a later date.
Refer to VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attacks for remediation guidance from VMware for vulnerable machines.
Track and Monitor
Vulnerability Managers should be on the lookout for new vulnerabilities identified in the watch topic and keep track of the remediation progress of vulnerabilities in the remediation effort.
The new ESXiArgs ransomware attacks prove that the attackers can use vulnerabilities discovered years ago and still be successful in their attacks as long as the vulnerability management and patching are side-lined by the organizations. Organizations must prioritize an effective vulnerability management program in their security strategy and make use of vulnerability scanners along with vulnerability response tools to safeguard their assets from exploitation.
