vRealize Automation Appliance 6.2.x Workaround for vulnerabilities which require local access
Article ID: 336922
Updated On:
Products
VMware Aria Suite
Issue/Introduction
The vRealize Automation team has investigated the impact of vulnerabilities which require local access (such as local privilege escalation, local information disclosures, local denial of service, etc.) and determined that the product can be protected from these types of vulnerabilities by performing the steps detailed in this article. This workaround is meant to be a temporary solution only.
Warning:
Workaround 1: All non-root custom users identified in the resolution section may not be able to perform actions that were previously possible while the workaround is in place due their disabled SSH access.
Workaround 2: All users, including root, may not be able to perform actions that were previously possible while the workaround is in place due to disabled SSH service.
Warning:
- This workaround is applicable ONLY to vRealize Automation Appliance 6.2.x. Do not apply this workaround to other VMware products.
- This workaround must be applied to all vRealize Automation appliances in High Availability deployments.
Workaround 1: All non-root custom users identified in the resolution section may not be able to perform actions that were previously possible while the workaround is in place due their disabled SSH access.
Workaround 2: All users, including root, may not be able to perform actions that were previously possible while the workaround is in place due to disabled SSH service.
Environment
VMware vRealize Automation 6.2.x
Resolution
To implement the workaround for one of the following:
Workaround 1
Remove access to the appliance shell for non-root users:- Login to the vRealize Automation Appliance with a SSH session and the root user.
- Backup the /etc/passwd file with this command:
cp /etc/passwd /etc/passwd.bkup
- Download the 52497_identify_non_root_users62x.py.gz script.
- Extract and transfer the script to the appliance.
- Run this command to make sure that the script is executable:
chmod 755 identify_non_root_users62x.py
- To list all the non-root custom users, run this command and take note of the users listed
python identify_non_root_users62x.py
If there are no users listed in the console, there are no users to disable.
- Open the /etc/passwd file with a plain text editor using this command:
vi /etc/passwd
- Search for all non-root users identified in step 6.
For example the user test has access to bash.
test:x:1020:100:test:/home/test:/bin/bash
- Change the default shell access from /bin/bash to /sbin/nologin.
For example:
test:x:1020:100:test:/home/test:/sbin/nologin
- Save and exit the file.
- Attempt to log into vRealize Automation Appliance using SSH and with a non-root user from step 6.
- Non-root users should no longer be able to log in.
- Login to the vRealize Automation Appliance with an SSH session and the root user.
- Backup the /etc/passwd file by with this command:
cp /etc/passwd /etc/passwd.modified.bkup
- Change the default shell access from /sbin/nologin to /bin/bash for all the non-root users.
For example:
test:x:1020:100:test:/home/test:/bin/bashsh
- Save and Exit the file
Workaround 2
Disable the SSH shell on vRealize Automation Appliance:- Login to the vRealize Automation Appliance with an SSH session and the root user.
- Once logged in, run these commands:
- /etc/init.d/sshd stop
- chkconfig sshd off
To validate the workaround run these following steps:
- Try to log in from any other machine using SSH to the appliance.
- It should prompt that connection is refused.
To remove the workaround run these steps:
- Log in from the vSphere console as root.
- Start the ssh service with the command /etc/init.d/sshd start.
- Run the command chkconfig sshd on.
- CVE-2017-5753
- CVE-2017-5715
- CVE-2017-5754
Additional Information
Attachments
Feedback
Yes
No
Powered by
