A new zero-day vulnerability has been discovered by Mandiant, an incident response firm owned by Google Cloud. This vulnerability affects the VMware hypervisor ESXi and is currently being actively exploited by a Chinese nation-state threat actor referred to as “UNC3886.” The flaw, known as CVE-2023-20867, is an authentication bypass that allows a fully compromised ESXi host to force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.
According to Mandiant’s research post, in order to exploit the vulnerability, the attacker must have privileged account access to the ESXi host, and the target guest machine must have VMware Tools installed. Once the attacker gains access, CVE-2023-20867 allows them to execute privileged actions on a compromised ESXi host without authentication. Additionally, no logging events are generated by default when the vulnerability is successfully exploited, making it more challenging for defenders to respond to the attack.
To patch the vulnerability, VMware customers are advised to update their VMware Tools instance to version 12.2.5. However, despite the ongoing targeted attacks, VMware has evaluated the severity of the flaw as low, with a CVSS v3 score of 3.9. According to a VMware spokesperson, the vulnerability cannot be exploited unless the attacker has already gained root access.
Mandiant identifies UNC3886 as a highly adept Chinese cyberespionage group that primarily targets defense, technology, and telecommunication organizations in the US and APJ regions (Asia-Pacific). The group has previously targeted victims using zero-day flaws in firewall and virtualization products and continues to exploit devices and platforms lacking endpoint detection and response solutions.
It’s important to note that CVE-2023-20867 is unrelated to the high-profile ESXiArgs ransomware campaign that occurred earlier this year. In that campaign, threat actors targeted internet-facing servers in multiple nations using different vulnerabilities. Alex Marvi, a Mandiant consultant, stated that they have observed the exploitation of the new vulnerability in defense contractors and telecommunications companies in the US and APJ regions. He also mentioned that while exploitation might not be widespread in the short term due to the need for administrative access, it could become more prevalent if the exploit tooling becomes publicly available.
In conclusion, the discovery of this zero-day vulnerability affecting VMware hypervisor ESXi and its active exploitation by a Chinese nation-state threat actor highlights the ongoing challenges posed by cyber threats. Organizations are advised to prioritize patching and updating their software to protect against these vulnerabilities. The continuous development and deployment of effective endpoint detection and response solutions are also crucial in detecting and mitigating attacks.