To work around this issue run one of these.
Workaround 1
Remove access to the appliance shell for non-root users:
Note: These steps must not be applied to service account users: root, sso-user, dnsmasq
- Login to the vCenter Server Appliance with an SSH session and the root user.
- Backup the /etc/passwd file by with this command:
cp /etc/passwd /etc/passwd.bkup
- To list all users, run this command in the appliance shell and take note of the users listed:
user.list
- Open the /etc/passwd file with a plain text editor using this command:
vi /etc/passwd
- Search for all non-root users who have operator access.
For example the user test has access to appliancesh.
test:x:1020:100:test:/home/test:/bin/appliancesh
- Change the default shell access from /bin/appliancesh to /sbin/nologin.
For example:
test:x:1020:100:test:/home/test:/sbin/nologin
- Save and exit the file
To confirm that the workaround run these steps:
- Attempt to log into vCenter Server Appliance using SSH and user with the Operator role.
- Operator users should no longer be able to log in.
To remove the workaround run these following steps:
- Login to the vCenter Server Appliance with an SSH session and the root user.
- Backup the /etc/passwd file by with this command:
cp /etc/passwd /etc/passwd.modified.bkup
- Change the default shell access from /sbin/nologin to /bin/appliancesh for all the Operator users.
For example:
test:x:1020:100:test:/home/test:/bin/appliancesh
- Save and Exit the file
Workaround 2
Disable the bash shell on vCenter Server Appliance:
- Login to the vCenter Server Appliance with an SSH session and the root user.
- Change to the appliancesh shell by running this command:
# appliancesh
- Login using the root username and password.
- Run this command to disable bash shell:
shell.set –-enabled false
To validate the workaround run these following steps:
- Login to the vCenter Server Appliance with an SSH session and a non-root user.
- The login is successful and the appliancesh is launched.
- Attempt to switch to the Bash shell by running the shell command.
- All non-root users should not be able to switch to the Bash shell.
To remove the workaround run these steps:
- Login to the vCenter Server Appliance with an SSH session and the root user.
- Run this command to enable the bash shell:
shell.set –-enabled true
Example vulnerabilities that this workaround will be effective against:
- CVE-2017-5753
- CVE-2017-5715
- CVE-2017-5754