External risk intelligence

VMware ESXi and Horizon DaaS Heap Overflow Vulnerability

CVE advisoryKnown Exploit

CVE-2019-5544

VMware ESXi and Horizon DaaS appliances have a heap overwrite vulnerability in the OpenSLP service. This could allow an attacker with network access to execute code remotely, leading to unauthorized system control and potential data compromise for affected organizations.

3Halo Surface Signal

Out-of-bounds Write

Vmware Horizon Daas

8.0.0 to before 9.0.0.06.0

External exposure likelihood

Halo Surface Signal score for CVE-2019-5544

The vulnerability involves the OpenSLP service, which typically listens on port 427 for network discovery. While reachable over a network, this service is generally intended for internal management. Exposure is possible in misconfigured or poorly segmented environments, but it is not a standard internet-facing deployment.

Horizon Alert

Summary of the vulnerability and why it matters

The OpenSLP service within VMware ESXi and Horizon DaaS appliances contains a heap overwrite vulnerability. This flaw permits an attacker with network access to port 427 to overwrite the service's heap, potentially leading to remote code execution. This could allow an attacker to gain unauthorized access and control over affected systems, potentially resulting in data loss or service disruptions.

Vulnerable OpenSLP service
Heap overwrite flaw
Remote code execution impact

Attack Path

How an attacker could exploit the issue

The OpenSLP service in VMware ESXi and Horizon DaaS appliances is susceptible to a heap overwrite vulnerability. An attacker could exploit this to gain control over affected systems. The vulnerability has been documented as known to be exploited in ransomware campaigns.

Network exposure is required.
Unauthenticated attackers can gain access.
Triggering the vulnerability leads to code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability affects VMware ESXi and Horizon DaaS appliances. It allows an attacker to overwrite memory within the OpenSLP service, potentially leading to remote code execution. This could result in unauthorized access, system disruption, or data compromise for affected organizations. The vulnerability has been identified as a critical risk with a high likelihood of exploitation.

Likely attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in OpenSLP for VMware ESXi and Horizon DaaS presents a critical risk. Organizations should prioritize identifying all instances of affected systems, implementing measures to reduce potential exposure, and applying the vendor-provided fixes. Following the application of updates, thorough validation and continuous monitoring are essential to ensure the integrity of the environment and detect any related malicious activity.

Find all affected VMware ESXi and Horizon DaaS assets.
Isolate affected systems or reduce network exposure.
Apply vendor updates, validate, and monitor.

Frequently asked questions

What is OpenSLP in VMware ESXi and Horizon DaaS?

OpenSLP is a network service discovery protocol used in VMware ESXi and Horizon DaaS appliances, enabling systems to locate and communicate with each other. This service is the component affected by CVE-2019-5544.

How does CVE-2019-5544 allow an attacker to gain control?

CVE-2019-5544 is a heap overwrite vulnerability (CWE-787). An unauthenticated attacker with network access to port 427 can send crafted requests to the OpenSLP service, overwriting its memory and potentially achieving remote code execution.

What are the implications of this heap overwrite vulnerability?

This vulnerability can lead to remote code execution, allowing an attacker to gain unauthorized access and control over affected VMware ESXi and Horizon DaaS systems, potentially causing data loss or service disruptions.

Is CVE-2019-5544 a known exploited vulnerability and what is its context?

Yes, CVE-2019-5544 is listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. The Halo Surface Signal indicates possible exposure, noting that while OpenSLP is usually for internal use, misconfigurations can lead to network accessibility.

What steps should be taken to address CVE-2019-5544?

Organizations should identify all affected VMware ESXi and Horizon DaaS assets, reduce network exposure where possible, and apply vendor-provided updates. Continuous monitoring after patching is crucial to ensure environment integrity and detect any malicious activity.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.