VMware Patches ESXi Vulnerability That Earned Hacker $200,000
On Thursday, VMware informed customers that it has released an updated version of its software that has patched a vulnerability that allowed for critical remote code execution in ESXi, which was exposed at China’s Tianfu Cup hacking competition earlier this month. The exploit, which only took 24 seconds to execute and earned the hacking team a total of $200,000, involved the hacker demonstrating control of the host operating system. The hacker, who is a member of the team 360Vulcan, received the highest single payout of the event.
VMware employees attended the event and therefore were provided with details of the exploit after the demonstration, which took place less than a month ago. The vulnerability affects ESXi versions 6.0, 6.5, and 6.7 running on any platform. The vulnerability took VMware just over two weeks to patch, compared to last year when it took only one week to patch exploits revealed during the Tianfu Cup. VMware stated that the flaw was related to the OpenSLP implementation fo the Service Location Protocol designed for locating resources on a network.