Wednesday, March 17, 2021

ESXi Vulnerability Remediation

 

ESXi Vulnerability Remediation

 Security is a mandatory and first priority task for IT Engineers to make their environment secure, reliable and stable to run the business smoothly.


This document is for VMware ESXi 6.5 Vulnerability remediation.

 

As per the Rapid scan report, below vulnerability exists on ESXi 6.5 hosts.

As of now, my ESXi hosts are running on 6.5 - 13004031 update level.

CVE-2017-16544,CVE-2021-21974,CVE-2019-5531,CVE-2019-5528,CVE-2020-3976,CVE-2018-12207,CVE-2020-3982,CVE-2019-11091,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-12126,CVE-2018-12127,CVE-2019-11091,CVE-2018-12130,CVE-2020-3968,CVE-2020-4004,CVE-2020-3967,CVE-2020-3969,CVE-2020-3960,CVE-2020-3962,CVE-2011-3389,CVE-2020-3955,CVE-2020-3966,CVE-2020-3995,CVE-2020-3981,CVE-2020-3971,CVE-2020-3965,CVE-2019-11135,CVE-2020-3958,CVE-2020-3959,CVE-2020-3963,CVE-2020-3970,CVE-2020-3964.

 

These are critical, High, Medium and Low types of vulnerability which needs to be remediate ASAP to secure the environment.

 

Most of the vulnerability will remediate once we applied the below latest ESXi 6.5 security patch on the ESXi hosts.

Version

Release Name

Build Number

ESXi 6.5 P06

ESXi650-202102001

17477841

 

Once, we applied the above security patch then most of the vulnerability will be remediate but some vulnerabilities will be exists like below and for these vulnerabilities, we need to make some changes on the VCSA and ESXi hosts for the remediation.

 

Vulnerability Title

TLS/SSL Server is enabling the BEAST attack

TLS Server Supports TLS version 1.0

TLS Server Supports TLS version 1.1

TLS/SSL Server Supports The Use of Static Key Ciphers

SSH CBC vulnerability

SSH Server Supports 3DES Cipher Suite

Untrusted TLS/SSL server X.509 certificate

 

To Remediate the above pending vulnerabilities, we need to follow below steps as mentioned.

 

1.       For the above listed TLS/SSL vulnerability, we need to disable the TLS 1.0,1.1 on the VCSA and enable the TLS 1.2 only and reboot it. Refer- https://kb.vmware.com/s/article/2147469

 

2.       Once VCSA is remediated, we need to disable the same TLS 1.0,1.1 and enable the TLS 1.2 only and reboot the ESXi hosts.

 

3.       For SSH server supports 3DES vulnerability, we need to make the changes in SSHD config file on the ESXI hosts and remove the 3DES-CBC support for SSH.

 

4.       For this vulnerability- TLS/SSL Server Supports The Use of Static Key Ciphers- we need to make the changes on ESXi host file “/etc/vmware/rhttpproxy/config.xml” and add this entry

 

“<cipherList>ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!AES128-SHA:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384</cipherList>” between <ssl> …..  <ssl> after <vmacore>.

 

5.       For Untrusted TLS/SSL server X.509 certificate vulnerability- you need to update your company CA certificate for secure communication between vCenter and ESXi hosts. First, you need to apply the custom CA certificate on vCenter/PSC servers and then on ESXI hosts.

For this task you can refer my blog- https://mycloudarena.blogspot.com/2020/07/custom-certificate-updaterenew-on.html

 

6.       Once, we applied all above steps for the remediation, just go for a rapid scan on the ESXI host and you will get “0” vulnerability.

 

 Cheers, have a great day ahead !!!!

- 2 comments:
Subscribe to: Posts (Atom)

Edge node vmid not found on NSX manager

  Hello There, Recently , we faced an issue in our NSX-T envrironment running with 3.2.x version. We saw below error message while running t...