VMware ESXi

Main article: Virtualization. Classification and applications

2023

Attackers exploit 2021 vulnerability in attacks on VMware ESXi servers

The French computer Emergency Response Team (CERT-FR) warns malefactors that they are actively operating the 2021 RCE-vulnerability in uncorrected servers VMware ESXi for software deployment extortioner - ESXiArgs. This became known on February 6, 2023.

Illustration: securitylab.ru

An RCE vulnerability of a buffer overflow in heap memory in the OpenSLP CVE-2021-21974 service (CVSS: 8.8) can be exploited by an unauthenticated hacker. It is worth noting that the bug fix was released in February 2021.

To block incoming attacks, administrators must disable the vulnerable Service Location Protocol (SLP) on ESXi hypervisors that have not yet been updated. CERT-FR added that non-updated systems should also be scanned for signs of compromise.

CVE-2021-21974 affects the following systems:

• ESXi version 7.x to ESXi70U1c-17325551;
• ESXi version 6.7.x before ESXi670-202102401-SG;
• ESXi version 6.5.x to ESXi650-202102101-SG.

According to data to Censys, about 3,200 servers VMware ESXi throughout were to the world compromised during the ESXiArgs ransomware campaign. This malware ciphers files with the extensions ".vmxf," ".vmx," ".vmdk," ".vmsd" and. "nvram" on compromised ESXi servers and creates a file. "args" for each encrypted document with metadata (probably necessary for decryption).

On infected systems, ESXiArgs leaves a ransom note called "ransom.html" and "How to Restore Your Files.html" in the format. "html" or. "txt."

ID's Michael Gillespie Ransomware analyzed encoder and stated that encrypted files could not be decrypted. For enciphering ESXiArgs generates 32 bytes protected generator using pseudo-random numbers (CPRNG), and then this key is used to encrypt the file using Sosemanuk, safe streaming. code The file key is encrypted RSA with and added to the end of the file.

algorithm The use of Sosemanuk indicates that ESXiArgs is likely based on to leak source code Babuk, which has previously been used in other anti-ESXi campaigns such as CheersCrypt.

Earlier, researcher cyber security Will Thomas of the Center for Analysis (threats Equinix ETAC) discovered that an updated version of the Royal Ransomware ransomware added support for encrypting devices Linux to attack virtual machines VMware ESXi.

For those affected, security researcher Enes Sonmez has created a guide to help administrators reconfigure their virtual machines for free and recover data. And BleepingComputer specialists have launched a special topic of support for ESXiArgs, where people report their experience with this attack and get help restoring machines The ESXiArgs ransomware affected about 3,200 VMware ESXi servers^[1].

2 Years Hackers Exploit Software Hole for Successful Ransomware Attacks

In early February 2023, the French Computer Emergency Response Team (CERT-FR) warned of the spread of a new one, dubbed programs extortioners ESXiArgs. It penetrates the systems of victims through a hole in the server room. software VMware

We are talking about a vulnerability that is described in the CVE-2021-21974 security bulletin: it affects the VMware ESXi hypervisor. In the event of a successful attack, a remote attacker can cause a heap overflow error in the OpenSLP service. After that, a cybercriminal who has not been authenticated is able to execute arbitrary commands on the computer. The issue extends to ESXi version 7.x to ESXi70U1c-17325551, ESXi version 6.7.x to ESXi670-202102401-SG, and ESXi version 6.5.x to ESXi650-202102101-SG.

For 2 years, hackers have been using a hole in VMware software to successfully attack ransomware viruses. The number of victims is measured in thousands

VMware released a patch for the vulnerability back in February 2021, but not all corporate users applied the update. According to Censys, an information security company, at least 2,400 servers have been affected by the ESXiArgs malware worldwide as of February 3, 2023. The Austrian Computer Emergency Response Team later reported that the number of incursions approached 3,300.

In a bulletin published on February 6, 2023, VMware confirmed that this attack exploits old ESXi flaws, not the zero-day vulnerability. The company advises IT administrators to install updates for ESXi servers or disable the OpenSLP service.

The ESXiArgs ransomware encrypts.vmxf,.vmx,.vmdk,.vmsd and.nvram files on compromised ESXi servers and creates a.args file for each encrypted document with metadata (probably necessary for decryption).^[2][3]

2022: Hacking software and gaining access to millions of virtual machines

On October 1, 2022, it became known that hackers managed to hack into VMware's ESXi software and gain access to countless virtual machines, which means that they can spy on numerous enterprises using this software, and these enterprises may never know that they are being monitored.

The threat was reported by cyber threat analysis company Mandiant in conjunction with virtualization systems development company VMware.

Hackers hacked VMware software

According to these two companies, unknown attackers allegedly associated with the Chinese hacker group UNC3886 installed two malware on empty hypervisor virtual cars hypervisors using vSphere Installation Bundles. They named them VirtualPita and VirtualPie. In addition, experts have discovered a unique dropper malware called VirtualGate.

An important point is that attackers did not exploit "day zero" or other known vulnerability. Instead, they used administrator-level access to ESXi virtual machines to install their tools.

In a message to WIRED, VMware said that "despite the absence of a VMware vulnerability, we draw attention to the need to apply reliable operating security methods, including secure account management and network security."

VMware also said it has prepared a "strengthen" guide for VMware configuration administrators to help them defend against this type of attack.

The attack allows malicious investigators to maintain constant administrative access to the hypervisor, send commands to the command line that will be redirected to the guest VM for execution, steal files between the ESXi hypervisor and the guest machines operating under it, make changes to the registration services on the hypervisor, and execute arbitrary commands from one guest VM to another guest VM if they are on the same hypervisor.^[4]

2021

ESXi ARM Edition 1.8 with OpenBSD Guest OS Support

On December 20, 2021, it became known that the company VMware on the Labs project website made available an updated version virtualizations of the ESXi ARM Edition 1.8 platform. This is a special version of the VMware hypervisor designed for processors ARM (for example, an architecture is built on their basis, Raspberry Pi as well as many IoT devices). Also, this hypervisor will find its application in the future in platforms such as. Project Monterey

In ESXi ARM Edition 1.8 appeared:

• Fix for ACPI, which allows support for OpenBSD guest operating systems.
• Improved processing of ITS device ID width in the implementation without support for indirect table.
• Improved processing of VMkernel TLB (Translation Lookaside Buffer - it is a cache for MMU).
• Improved NUMA engine processing, especially in terms of error messages^[5].

ESXi Arm Edition 1.5

VMware The ESXi Arm Edition 1.5 update has been released on the Labs project website. This became known on August 9, 2021. This is a special version of the VMware hypervisor designed for processors ARM (for example, an architecture is built on their basis, Raspberry Pi as well as many IoT devices).

There are not many innovations in the updated version:

• Small improvements in virtual machine performance
• Support for BCM2848 ACPI ID for USB OTG port (affects the latest versions of UEFI microcode)
• Small Bug Fixes

2019: VMware ESXi 6.5 Update 3

On July 3, 2019, VMware introduced the VMware ESXi 6.5 Update 3.

Updated ESXi 6.5 Update 3 features:

• The ixgben driver adds queue pairing to optimize CPU efficiency.
• With ESXi 6.5 Update 3, you can monitor license usage and update switch topology. Improvements can also be seen in the Developer Center of the vSphere Client.
• Support for legacy AMD Zen 2 servers.
• Many device driver updates: lsi-msgpt2, lsi-msgpt35, lsi-mr3, lpfc/brcmfcoe, qlnativefc, smartpqi, nvme, nenic, ixgben, i40en and bnxtnet.
• Support for Windows Server Failover Clustering and Windows Server 2019.
• Added the com.vmware.etherswitch.ipfixbehavior property to distributed to virtual switchboards allow users to choose how to track incoming and outgoing traffic. The value of 1 includes sampling for inbound and outbound traffic, the value of 0 includes it only for outbound traffic (default value).^[6]

2013: VMware ESXi для VMware vSphere 5.5

VMware announced on August 28, 2013, the release of updates for components of the VMware vSphere 5.5 platform.

VMware ESXi enhancements

• Hot-Pluggable PCIe SSD Devices - the ability to connect the host server SSDs to hot, without stopping virtual machines. Now this feature is available along with the "hot" connection of SAS and SATA disks to the host without stopping the VM.

• Reliable Memory - Improve reliability by supporting Reliable Memory technology. The ESXi hypervisor now allows you to support the Reliable Memory technique when placing the main component - VMkernel - in the server's RAM. This implies optimal placement of the memory blocks allocated by VMkernel and control over its state by the CPU. This gives the virtualization system even greater reliability.

• Improvements in the C-States CPU mechanism - Improvements in the ESXi host processor operating modes. These improvements further optimize the server's power savings and enable it to quickly enter high performance mode on Intel chipsets.

ESXi now has the following features:

• Maximum RAM per host - 4 TB (was 2 TB)
• The maximum number of vCPUs per host is 4096 (was 2048)
• NUMA nodes per host - 16 (there were 8)
• Logical CPUs per host - 320 (was 160)

The main news in this section is that the free vSphere Hypervisor has no limit on physical memory (previously the limit was 32 GB).

Virtual Machine Enhancements

• VM compatibility in VMware ESXi 5.5 - now provides backward compatibility of VMs with support for various features, such as LSI SAS for Oracle Solaris 11 OS and advanced host controller interface (AHCI).

This is what the VMware vSphere 5.5 virtual machine compatibility matrix looks like with previous generations of platforms:

• Advanced vGPU support - This feature provides support for hardware-accelerated 3D graphics output through NVIDIA and AMD graphics.

• Soft 3D - rendering a 3D picture without using an adapter based on software techniques using server memory.
• vDGA - Allocate a graphics adapter (GPU) to a separate virtual machine.
• vSGA - Use a shared graphics adapter by multiple virtual machines.

Either mode supports VMware vMotion hot migration technology. In this case, you can even transfer VMs between hosts in which graphics adapters of various vendors are installed. If there are any compatibility problems or the adapter is unavailable on the target host, then the VM will simply use Soft 3D rendering.

Guest operating systems are supported: Fedora 17 and later, Ubuntu 12 and later, as well as Red Hat Enterprise Linux (RHEL) 7. vGPU management for Linux is only supported for vSphere Web Client.

• Graphic Acceleration for Linux Guests.

From the previous feature, it follows that VMware vSphere 5.5 now supports 3D graphics acceleration on Linux. VMware has developed a guest driver that allows most Linux distributions to use hardware acceleration capabilities for virtual machines.

This driver supports:

• OpenGL 2.1
• DRM kernel mode setting
• Xrandr
• XRender
• Xv

2011

According to May 2011, this hypervisor does not depend on the OS. VMware ESXi takes up 32 MB of disk space.

Architecture

bare metal architecture

VMware ESXi adds a reliable layer virtualizations directly to the server hardware, which ensures the performance, reliability and scalability of the virtual machine at almost the level of its physical counterpart.

Small installation size

VMware ESXi occupies 32 MB of disk space, which is a very small part of the general-purpose operating system and reduces complexity, as well as provides unique security and reliability.

Server Integration

VMware ESXi is built into the server hardware as an internal component, simplifying and accelerating virtualization implementation.

CPU Virtualization

ESXi provides maximum load on servers and eliminates the risk of insufficient CPU processing resources for the most important operations. VMware ESXi uses intelligent process planning and load balancing between available processors to manage virtual machines.

Virtualization for Storage

Leveraging high-performance shared storage to centrally store virtual machine files increases manageability, flexibility, and availability.

Virtual disk files. Servers VMware ESXi can be added to and removed from a VMFS volume without suspending or interrupting other VMware ESXi instances.

VMFS clustered file system. Leveraging high-performance shared storage to centrally store virtual machine files increases manageability, flexibility, and availability.

Logical Volume Manager. Flexible and reliable management of communication between physical storage arrays and the VMFS virtual machine file system.

Connecting unformatted devices. Additional connection of SAN LUNs directly to the virtual machine to enable application clustering and snapshot on the storage array, taking advantage of VMFS manageability.

Consolidate Fibre Channel HBAs. Expensive networked storage is used simultaneously by multiple virtual machines, while maintaining resilience to hardware failures.

End-to-end recording. Guarantee reliable recovery of virtual machines in the event of a server failure. End-to-end I/O provides virtual machines with exactly the same recovery characteristics as physical systems running the same operating system.

Download via SAN. Running VMware ESX instances in diskless configurations based on blade and rack servers eliminates the need for separate backup of local server disks.

Virtualizing Network Tools

Virtual machines are organized on the network like physical machines. Build complex networks on one or more servers VMware ESXis for the production environment or for development and testing.

Virtual network interfaces. You can create one or more virtual network interfaces on each virtual machine. Each of these network interfaces can have its own IP address and even its own MAC address. Therefore, from the point of view of working on the network, virtual machines do not differ from physical ones.

Virtual switches. Network simulation in VMware ESXi using virtual switches that connect virtual machines.

Advanced port configuration policies. Using a single configuration object for large groups of ports simplifies port configuration. The configuration object contains all the data necessary to enable the port: network interface grouping policy (now by port, not by virtual switch), VLAN markup, Layer 2 security, and traffic control.

VLANs. Logical networks are implemented on top of physical networks to separate network traffic for security and load sharing. VLANs in VMware ESXi are compatible with standard VLAN implementations from other vendors. The network configuration can be changed without the need to actually reconnect the cables and change the switch parameter values. Broadcast traffic transmitted in a virtual network is limited to the network, which reduces the load of other segments and switches in the network by broadcast packets.

Performance and Scalability

With VMware ESXi, you can virtualize even the most demanding production applications, such as databases, ERP systems, and CRM.

Improved virtual machine performance

VMware ESXi delivers improved virtual machine performance with the following solutions:

Optimize network performance. Reduce CPU utilization for network I/O processing.

Supports nested hardware page tables. Accelerate memory translation between guest operating systems and physical memory.

Support for large pages of memory. Increase memory access for guest operating systems and hypervisor.

Support for paravirtualized Linux guest operating systems (Linux kernels version 2.6.21 and higher). Improved performance of operating systems that support virtualization technology.

Advanced Memory Management

Reserve additional memory. Improves RAM usage by allowing a virtual machine to allocate more memory than the server's physical memory. For example, the total memory capacity of all virtual machines running on a server with 8 GB of physical memory can be 16 GB.

Transparent page sharing. Make more efficient use of available memory by storing identical pages of memory used by multiple virtual machines in a single instance. For example, if multiple virtual machines are running Windows Server 2003, they will have multiple memory pages with the same content. With transparent memory access technology, you can store only one copy of such pages.

Memory ballooning function. Dynamically redistribute memory from idle to active virtual machines. This method makes it possible to artificially cause memory shortages in idle virtual machines, forcing them to unload data from memory to disk and free up memory for active virtual machines.

Improved power management

Reduce energy costs for the data center with improved power management. VMware ESXi goes into a low-power "HALT" state when the processor is not loaded with tasks.

Virtual SMP technology with support for 4 processors

One virtual machine can use from two to four physical processors at the same time. Virtual SMP technology with support for 4 processors makes it possible to virtualize even the most demanding applications for processor resources, such as database applications and message servers.

64GB of RAM for virtual machines

Increasing the maximum amount of virtual machine memory to 64 GB makes it possible to run even the most RAM-intensive applications.

Support for powerful server systems

Using large server systems with up to 32 logical CPUs and 256 GB of RAM provides benefits for large-scale server consolidation and disaster recovery projects.

Support for up to 128 running virtual machines

The ability to support up to 128 running virtual machines on a single server enables you to take advantage of very large server systems at the enterprise level by consolidating and limiting server growth.

Flexible Virtual Switches

Scale to support more virtual machines. Virtual switches can contain from 8 to 1,016 ports, and each host can be connected to 248 virtual switches.

Wake from LAN

Increases levels of consolidation by being able to put virtual machines on standby when they are not in use.

Compatibility

VMware ESXi is the only virtualization platform that has been optimized, thoroughly tested, and certified for a complete set of servers, storage, operating systems, and applications, and enables enterprise-level standardization.

Equipment

VMware ESXi has been certified to run on rack, tower and blade servers leading server vendors:,,,,,, and Dell Fujitsu Siemens HP, as well IBM NEC Sun Microsystems Unisys as to work with servers that meet Intel White-Box specifications.

VMware ESXi physically integrates into the server hardware, and the server is ready to work with virtualization immediately after startup.

Storage

VMware ESXi is certified for a wide range of storage systems manufactured by Dell, EMC, EqualLogic, Fujitsu, Fujitsu Siemens, HP, Hitachi Data Systems, IBM, NEC, Network Appliance, StorageTek, Sun Microsystems, 3PAR, and other vendors.

Heterogeneous storage arrays. A single VMFS volume can combine a variety of heterogeneous storage devices.

NAS and iSCSI SAN support. By supporting low-cost, easy-to-manage shared storage, VMware ESXi reduces IT cost of ownership. Advanced VMware Infrastructure capabilities such as VMotion and VMware HA fully support NAS and iSCSI storage.

Support for 4GB Fibre Channel SAN. VirtualCenter provides centralized management and configuration of all VMware ESXi servers.

Support for local SATA storage. The use of dedicated servers with local SATA storage systems reduces the cost of organizing and supporting IT environments.

Network

High-performance networking environments such as 10 Gigabit Ethernet enable VMware ESX and VMware ESXi 3.5 to handle the most intense network loads.

Operating systems. Run any applications on VMware virtual machines.

• Support for 64-bit guest operating systems
• Solaris 10 Operating System Support
• Vista Operating System Support Windows
• Support for the Ubuntu guest operating system

Applications

Supports applications through the Web Services APIs that are part of the VMware Infrastructure SDK.

Support for other virtual machine formats

VMware With ESXi, you can run virtual machines not only in VMware formats. software Microsoft Symantec Free VMware Virtual Machine Importer allows you to run ® Virtual Server, Virtual PC, and ® LiveState Recovery virtual machines on VMware ESXi.

Management

Remote CLI. VMware ESXi can be managed through a remote execution environment that runs VMware ESXi command scripts.

Advanced management and user interface capabilities. VMware ESXi manages the entire virtual IT environment.

SMI-S compliant management interfaces. Monitor virtual storage with any SMI-S storage management tool.

Virtual Infrastructure Client. With a common user interface, you can manage VMware ESXi, virtual machines, and the VirtualCenter server.

Virtual Infrastructure Web Access. Managing VMware ESXi using a simple web interface (formerly "Management User Interface" or MUI).

Shortcuts for virtual machines. End users gain direct access to virtual machines through a web browser.

Remote devices. On a virtual machine running on the server, you can install the software directly from the CD. Agentless hardware management with the CIM model. The General Information Model (CIM) provides a protocol for monitoring the health and health of equipment using VirtualCenter or third-party programs that support CIM.

Optimize Distributed Resources

Managing resources for virtual machines. Defining advanced provisioning policies for virtual machines provides an opportunity to improve application service levels. Set the minimum, maximum, and proportional fractions for CPU, memory, disk, and bandwidth of network devices. Get the ability to change the amount of resources allocated to running virtual machines. Applications can receive additional resources to maximize dynamic performance.

Prioritizing CPU allocation. CPU power is assigned to virtual machines on a "need and sufficiency" basis, and CPU resource management tools also provide the ability to guarantee the most "important" virtual machines a certain minimum of CPU resources.

Prioritization of I/O traffic in storage. The most "important" virtual machines have priority access to storage devices. The priority of I/O traffic between virtual machines and the disk can be assigned according to the principle of "need and sufficiency."

Network Traffic Shaper. For the most "important" virtual machines, priority access to network channels is provided. The priority of network traffic for virtual machines can be determined by the principle of "need and sufficiency." The Network Traffic Limiter controls the network traffic of virtual machines according to the peak and middle bandwidth limits, as well as the amount of brief, intense bursts of traffic.

Resource pools. Groups of hardware resources virtualized by VMware ESXi can be combined into unified logical resources assigned to virtual machines on demand. Resource pools increase flexibility and efficiency.

Distributed logging. In the event of a server failure, you can quickly restore virtual machines without losing data.

High availability

VMware ESXi provides high availability of virtual machines at the data center level.

Shared Storage. By storing virtual machine files in shared storage, such as Fibre Channel, iSCSI SAN, or NAS, single points of failure are eliminated. SAN mirroring and replication capabilities are used to store updatable copies of virtual disks on disaster recovery sites.

SAN transparency. Real SAN storage is used in virtual machines as easily and easily as virtual disk files. Mapping real devices enables virtual machines to use standard SAN LUNs and VMFS LUNs for virtual disk files. Virtual machine data can be backed up and replicated at the file level by SAN. Easily configure clusters of virtual and physical machines with shared SAN storage, providing high availability while saving money.

Built-in alternate storage access paths. Ensure availability of shared storage with multi-path SAN I/O for Fibre Channel and iSCSI, and network interface consolidation for NAS.

Enhanced networking. Each virtual machine in the network is provided with built-in failover capabilities (thanks to paired network adapters) and load redistribution, providing increased hardware availability and fault tolerance. New network interface consolidation policies allow you to specify multiple active and multiple redundant network adapters. The merge configuration can be different for different port groups of the same virtual switch, and different join algorithms can be selected for different groups.

Support for Microsoft Clustering Services. You can create clusters of OS virtual machines Microsoft Windows on one or more physical computers.

Safety

Compatibility with SAN security practices. Apply security policies by zoning and masking LUNs.

Tagging VLANs. Improve network security by tagging and filtering network traffic in virtual VLANs. Limit the scope of broadcast domains.

Layer 2 network security policies. Apply Ethernet security rules to virtual machines. Prevent scanning of network traffic that is not intended for the scanning system, prevent changing MAC addresses, and protect against spoofing the MAC address when sending traffic.

Notes