Jump to content
Welcome to our new Citrix community!
  • Enable AppFW signature for CVE-2021-21972 as extra protection on unpatched VMWare ESXi servers

    NetScaler Cyber Threat Intelligence
    • Validation Status: Work In Progress
      Has Video?: No

    Enable AppFW signature for CVE-2021-21972 as extra protection on unpatched VMWare ESXi servers


    A surge in ransomware attacks targeting unpatched VMWare ESXi servers is reported from several security related fora (bleepingcomputer, thestack, helpnetsecurity, checkpoint). As it seems, the attackers are actively exploiting an old CVE tracked as CVE-2021-21974. The security flaw is caused by a heap overflow issue in the OpenSLP service. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow resulting in remote code execution.

    VMWare had timely published a security advisory disclosing the CVEs and urged the users to update their impacted version as described below (copied from this KB article). 



    Impacted Versions

    Fixed Version

    Release Date

    VAMI/Release Notes

    Build Number


    Build Number


    All versions prior to 7.0 U1c       

    7.0 U1c (or later)


    17327517 (or later)    

    17327586 (or later)

    6.7 VCSA

    All versions prior to 6.7 U3l        

    6.7 U3l (or later)


    17138064 (or later)   

    17137327 (or later)

            6.7 Windows          

    All versions prior to 6.7 U3l         

    6.7 U3l (or later)


    17138064 (or later)   

    17137232 (or later)




    Impacted Version

    Fixed Version

    Release Date

    Build Number

    6.5 (VCSA and Windows)                

    All versions prior to 6.5 U3n                  

    6.5 U3n (or later)


    17590285(or later)

    The NetScaler Research Team analyzed the issue and identified that the signature update version 59 (released March 2021) has the required protection to mitigate the risks associated with CVE-2021-21974 exploitation. More specifically, a malicious actor must be in the network to exploit CVE-2021-21974. Signature for CVE-2021-21972 (also covering CVE-2021-21973) mitigates the risk when an actor is outside the network.


    Signature Rule

    CVE ID




    WEB-MISC The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.

    Customers using WAF can get extra protection from the risk to their servers from this vulnerability by applying it to their WAF deployments as an additional layer of protection. This signature has been introduced since upgrade 59 (March 2021), thus a regularly updated system includes this signature.

    • Signatures are compatible with the following software versions of NetScaler: 11.1, 12.0, 12.1, 13.0, and 13.1. 
    • Please note that versions 11.1 and 12.0 have reached EoL.

    If you are already using WAF with signatures with the auto-update feature enabled, follow these steps after verifying that the signature version is at least version 59:

    1. Search your signatures for LogString by providing the value “CVE-2021-21972
    2. Select the presented signature rules with ID 999319.
    3. Choose “Enable Rules” and click OK.


    We recommend that WAF customers use the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. We will continue to monitor this dynamic situation and update as new mitigations become available.


    Additional Information

    WAF has a single code base across physical, virtual, bare-metal, and containers. This signature update applies to all WAF form factors and deployment models.

    Check out our alert and bot signature articles to learn more about WAF signatures and how you can receive signature alert notifications.

    Patches and Mitigations

    We strongly recommend that customers apply patches (from Cambium Networks and/or other vendors) as soon as they are made available. Until a patch is made public, you may reduce the risk of a successful attack by applying mitigations. Mitigations should not be considered full solutions as they do not fully address the underlying issue(s).

    Learn more about Web App Firewall in our product documentation.


    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...