Multiple attempts to log in to an ESXi host with incorrect credentials might cause the hostd service to stop responding (CVE-2019-5528)
Article ID: 317536
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
- ESXi host is marked as Not responding in vCenter Server.
- In the /var/log/vobd.log you see entries similar to:
2019-04-20T17:11:03.592Z: [UserLevelCorrelator] 459377077473us: [esx.audit.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after XXX failed login attempts.
2019-04-20T17:11:03.592Z: [GenericCorrelator] 459377077235us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after XXX failed login attempts.
2019-04-20T17:11:03.592Z: [GenericCorrelator] 459377077235us: [vob.user.account.locked] Remote access for ESXi local user account 'root' has been locked for 900 seconds after XXX failed login attempts.
- In the var/log/hostd.log you see entries similar to
2019-04-29T22:44:39.149Z error hostd[10280B70] [Originator@6876 sub=HTTP session map] Out of HTTP sessions: Limited to 500
- In the var/log/vmkernel.log you see entries similar to
2019-04-29T16:25:01.263Z cpu3:905847)ALERT: hostd detected to be non-responsive
2019-04-29T18:45:01.697Z cpu30:915767)MemSched: 14635: Admission failure in path: hostd-probe/stats/probe/vmkbacktrace.915767/uw.915767
2019-04-29T18:45:01.698Z cpu13:915765)MemSched: 14635: Admission failure in path: hostd-probe/stats/vsish/vsish.915765/uw.915765
2019-04-29T19:20:01.780Z cpu18:918118)MemSched: 14635: Admission failure in path: hostd-probe/stats/vsish/vsish.918118/uw.918118
2019-04-29T19:20:01.781Z cpu18:918118)MemSched: 14635: Admission failure in path: hostd-probe/stats/vsish/vsish.918118/uw.918118
2019-04-29T19:20:01.782Z cpu30:918112)MemSched: 14635: Admission failure in path: hostd-probe/stats/probe/vmkbacktrace.918112/uw.918112
2019-04-29T19:55:01.868Z cpu18:920299)MemSched: 14635: Admission failure in path: hostd-probe/stats/probe/vmkbacktrace.920299/uw.920299
2019-04-29T18:45:01.697Z cpu30:915767)MemSched: 14635: Admission failure in path: hostd-probe/stats/probe/vmkbacktrace.915767/uw.915767
2019-04-29T18:45:01.698Z cpu13:915765)MemSched: 14635: Admission failure in path: hostd-probe/stats/vsish/vsish.915765/uw.915765
2019-04-29T19:20:01.780Z cpu18:918118)MemSched: 14635: Admission failure in path: hostd-probe/stats/vsish/vsish.918118/uw.918118
2019-04-29T19:20:01.781Z cpu18:918118)MemSched: 14635: Admission failure in path: hostd-probe/stats/vsish/vsish.918118/uw.918118
2019-04-29T19:20:01.782Z cpu30:918112)MemSched: 14635: Admission failure in path: hostd-probe/stats/probe/vmkbacktrace.918112/uw.918112
2019-04-29T19:55:01.868Z cpu18:920299)MemSched: 14635: Admission failure in path: hostd-probe/stats/probe/vmkbacktrace.920299/uw.920299
- In var/run/log/vmsyslogd-dropped.log, you see entries similar to
2019-04-23T10:42:45.992Z: <85>Apr 23 10:42:45 Hostd: pam_tally2(vmware-authd:auth): user root (0) tally 37, deny 5
2019-04-23T10:40:19.548Z: <85>Apr 23 10:40:19 Hostd: pam_tally2(vmware-authd:auth): user root (0) tally 34, deny 5
Note:The preceding log excerpts are only examples.Date,time and environmental variables may vary depending on your environment2019-04-23T10:40:19.548Z: <85>Apr 23 10:40:19 Hostd: pam_tally2(vmware-authd:auth): user root (0) tally 34, deny 5
Resolution
To resolve this upgrade to ESXi 6.5 U3 and ESXi 6.7 U3.For details on this vulnerability including currently available remediation, please see VMSA-2019-0011 .
Workaround:
To work around this issue, follow the steps given below:
Workaround:
To work around this issue, follow the steps given below:
- Login to affected ESXi host via SSH.
- Take a backup of config file by running below command:
cp /etc/vmware/hostd/config.xml /etc/vmware/hostd/config.xml-backup
- Edit /etc/vmware/hostd/config.xml using vi editor
- Add below line:
<ioTrackers> false </ioTrackers>
Example:
Before change
<config>
<!-- Host agent configuration file for ESX/ESXi -->
<!-- the version of this config file -->
<version>6.6.0.0</version>
After change
<config>
<!-- Host agent configuration file for ESX/ESXi -->
<ioTrackers> false </ioTrackers>
<!-- the version of this config file -->
<version>6.6.0.0</version>
Example:
Before change
<config>
<!-- Host agent configuration file for ESX/ESXi -->
<!-- the version of this config file -->
<version>6.6.0.0</version>
After change
<config>
<!-- Host agent configuration file for ESX/ESXi -->
<ioTrackers> false </ioTrackers>
<!-- the version of this config file -->
<version>6.6.0.0</version>
- Save and close the file.
- Restart the hostd service by running the following command:
/etc/init.d/hostd restart
Additional Information
For more information, see VMware ESXi (6.5, 6.7) Crashing During Nessus Scan.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on
third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any
responsibility for the content of such sites.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on
third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any
responsibility for the content of such sites.
Feedback
Yes
No
Powered by
