vCenter Server Appliance (and PSC) 6.x Workaround for vulnerabilities which require local access
search cancel

vCenter Server Appliance (and PSC) 6.x Workaround for vulnerabilities which require local access

book

Article ID: 342788

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The vCenter Server Appliance team has investigated the impact of vulnerabilities which require local access (such as local privilege escalation, local information disclosures, local denial of service, etc.) and determined that the product can be protected from these types of vulnerabilities by performing the steps detailed in this article. This workaround is meant to be a temporary solution only.

Warning

This workaround is applicable ONLY to vCenter Server Appliance (and PSC) 6.0, 6.5, and 6.7. Do not apply this workaround to other VMware products.

Functionality Impacts

All users with roles of “Operator” may not be able to perform actions that were previously possible while the workaround is in place. This is the only functionality impact known at the time of publishing this article.

Environment

VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.5.x

Resolution

To work around this issue run one of these.

Workaround 1

Remove access to the appliance shell for non-root users:
Note: These steps must not be applied to service account users: root, sso-user, dnsmasq

  1. Login to the vCenter Server Appliance with an SSH session and the root user.
  2. Backup the /etc/passwd file by with this command:
cp /etc/passwd /etc/passwd.bkup
  1. To list all users, run this command in the appliance shell and take note of the users listed:
user.list
  1. Open the /etc/passwd file with a plain text editor using this command:
vi /etc/passwd
  1. Search for all non-root users who have operator access.
For example the user test has access to appliancesh.
 
test:x:1020:100:test:/home/test:/bin/appliancesh
  1. Change the default shell access from /bin/appliancesh to /sbin/nologin.
For example:
test:x:1020:100:test:/home/test:/sbin/nologin
  1. Save and exit the file
To confirm that the workaround run these steps:
  1. Attempt to log into vCenter Server Appliance using SSH and user with the Operator role.
  2. Operator users should no longer be able to log in.
To remove the workaround run these following steps:
  1. Login to the vCenter Server Appliance with an SSH session and the root user.
  2. Backup the /etc/passwd file by with this command:
cp /etc/passwd /etc/passwd.modified.bkup
  1. Change the default shell access from /sbin/nologin to /bin/appliancesh for all the Operator users.
For example:
test:x:1020:100:test:/home/test:/bin/appliancesh
  1. Save and Exit the file

Workaround 2

Disable the bash shell on vCenter Server Appliance:
  1. Login to the vCenter Server Appliance with an SSH session and the root user.
  2. Change to the appliancesh shell by running this command:
# appliancesh
  1. Login using the root username and password.
  2. Run this command to disable bash shell:
shell.set –-enabled false
To validate the workaround run these following steps:
  1. Login to the vCenter Server Appliance with an SSH session and a non-root user.
  2. The login is successful and the appliancesh is launched.
  3. Attempt to switch to the Bash shell by running the shell command. 
  4. All non-root users should not be able to switch to the Bash shell.
Note: The default shell is the Appliance Shell unless manually changed to Bash/Nologin. for more information, see Toggling the vCenter Server Appliance 6.x default shell.
To remove the workaround run these steps:
  1. Login to the vCenter Server Appliance with an SSH session and the root user.
  2. Run this command to enable the bash shell:
shell.set –-enabled true

Example vulnerabilities that this workaround will be effective against:
  • CVE-2017-5753
  • CVE-2017-5715
  • CVE-2017-5754


Additional Information

简体中文:vCenter Server Appliance(和 PSC)6.5/6.0 针对要求本地访问的漏洞的权宜措施

Powered by Wolken Software