At the Tianfu Cup competition held in China at the end of November, many vulnerabilities were discovered and used, which in total brought teams more than $ 500,000.
Among other things, the 360Vulcan team, which eventually won the competition, demonstrated VMware hacking ESXi, escaping from a virtual machine and taking control of the host operating system. The exploit took only 24 seconds, and he immediately brought his authors $ 200,000.
Since VMware representatives were present at the competition, details about the vulnerability and exploit work were provided to them immediately after the demonstration of their work, November 17th. how further investigation revealed companies, the vulnerability affected ESXi versions 6.0, 6.5 and 6.7, running on any platform, and Horizon Cloud for desktop PCs (DaaS) version 8.x. The bug was related to heap rewriting and open source implementation of the Service Location Protocol (SLP), OpenSLP.
“An attacker with access to port 427 on the ESXi host or any Horizon DaaS control device can overwrite the OpenSLP hip, which will lead to remote code execution,” the developers warn.
Patches for ESXi have already been released, although VMware engineers are still working on fixing the problem in Horizon DaaS. The vulnerability received the identifier CVE-2019-5544 and scored 9.8 points on the vulnerability scale CVSS 9, that is, the problem was recognized as critical.