ESXi Vulnerability Remediation

-

 

ESXi Vulnerability Remediation

 Security is a mandatory and first priority task for IT Engineers to make their environment secure, reliable and stable to run the business smoothly.


This document is for VMware ESXi 6.5 Vulnerability remediation.

 

As per the Rapid scan report, below vulnerability exists on ESXi 6.5 hosts.

As of now, my ESXi hosts are running on 6.5 - 13004031 update level.

CVE-2017-16544,CVE-2021-21974,CVE-2019-5531,CVE-2019-5528,CVE-2020-3976,CVE-2018-12207,CVE-2020-3982,CVE-2019-11091,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-12126,CVE-2018-12127,CVE-2019-11091,CVE-2018-12130,CVE-2020-3968,CVE-2020-4004,CVE-2020-3967,CVE-2020-3969,CVE-2020-3960,CVE-2020-3962,CVE-2011-3389,CVE-2020-3955,CVE-2020-3966,CVE-2020-3995,CVE-2020-3981,CVE-2020-3971,CVE-2020-3965,CVE-2019-11135,CVE-2020-3958,CVE-2020-3959,CVE-2020-3963,CVE-2020-3970,CVE-2020-3964.

 

These are critical, High, Medium and Low types of vulnerability which needs to be remediate ASAP to secure the environment.

 

Most of the vulnerability will remediate once we applied the below latest ESXi 6.5 security patch on the ESXi hosts.

Version

Release Name

Build Number

ESXi 6.5 P06

ESXi650-202102001

17477841

 

Once, we applied the above security patch then most of the vulnerability will be remediate but some vulnerabilities will be exists like below and for these vulnerabilities, we need to make some changes on the VCSA and ESXi hosts for the remediation.

 

Vulnerability Title

TLS/SSL Server is enabling the BEAST attack

TLS Server Supports TLS version 1.0

TLS Server Supports TLS version 1.1

TLS/SSL Server Supports The Use of Static Key Ciphers

SSH CBC vulnerability

SSH Server Supports 3DES Cipher Suite

Untrusted TLS/SSL server X.509 certificate

 

To Remediate the above pending vulnerabilities, we need to follow below steps as mentioned.

 

1.       For the above listed TLS/SSL vulnerability, we need to disable the TLS 1.0,1.1 on the VCSA and enable the TLS 1.2 only and reboot it. Refer- https://kb.vmware.com/s/article/2147469

 

2.       Once VCSA is remediated, we need to disable the same TLS 1.0,1.1 and enable the TLS 1.2 only and reboot the ESXi hosts.

 

3.       For SSH server supports 3DES vulnerability, we need to make the changes in SSHD config file on the ESXI hosts and remove the 3DES-CBC support for SSH.

 

4.       For this vulnerability- TLS/SSL Server Supports The Use of Static Key Ciphers- we need to make the changes on ESXi host file “/etc/vmware/rhttpproxy/config.xml” and add this entry

 

“<cipherList>ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!AES128-SHA:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384</cipherList>” between <ssl> …..  <ssl> after <vmacore>.

 

5.       For Untrusted TLS/SSL server X.509 certificate vulnerability- you need to update your company CA certificate for secure communication between vCenter and ESXi hosts. First, you need to apply the custom CA certificate on vCenter/PSC servers and then on ESXI hosts.

For this task you can refer my blog- https://mycloudarena.blogspot.com/2020/07/custom-certificate-updaterenew-on.html

 

6.       Once, we applied all above steps for the remediation, just go for a rapid scan on the ESXI host and you will get “0” vulnerability.

 

 Cheers, have a great day ahead !!!!

Comments

  1. AnonymousApril 3, 2022 at 10:57 PM

    Esxi Vulnerability Remediation >>>>> Download Now

    >>>>> Download Full

    Esxi Vulnerability Remediation >>>>> Download LINK

    >>>>> Download Now

    Esxi Vulnerability Remediation >>>>> Download Full

    >>>>> Download LINK DZ

    ReplyDelete
  2. UnknownApril 21, 2022 at 8:36 AM

    You can share a screenshot for example please?

    I can't resolve the vulnerabilities :_(

    ReplyDelete

Post a Comment

Popular posts from this blog

How to migrate the N-VDS as the host switch to VDS 7.0 in NSX-T 3.x

-
Image
  Hello There, In this article, i am covering how to migrate the ESXi host switch from N-VDS to VDS 7.0 switch in NSX-T 3.2.x version. When using N-VDS as the host switch,  NSX-T  is represented as an opaque network in  vCenter Server . N-VDS owns one or more of the physical interfaces (pNICs) on the transport node, and port configuration is performed from  NSX-T Data Center . You can migrate your host switch to  vSphere  Distributed Switch (VDS) 7.0 for optimal pNIC usage and manage the networking for  NSX-T  hosts from  vCenter Server . When running  NSX-T  on a VDS switch, a segment is represented as an  NSX-T  Distributed Virtual Port Groups. Any changes to the segments on the  NSX-T  network are synchronized in  vCenter Server. We have an NSX-T environment running with NSX-T 3.2.2.1 version. this environment was designed and implemented with NSX-T 2.x version and that time we used the N-VDS as host switch configuration on the transport nodes bcuz VDS was not supported that time. 
Read more

vROPS appliances password remediation tasks failed from SDDC manager

-
Image
Issue details:-   Password remediation tasks on SDDC manager getting failed with below error. However, we are able to connect SSH with root password on the vROPS appliances, no issues with credentials. I checked Operations logs on SDDC manager and found below logs, indicating the SSH connectivity issues from SDDC to vROPS appliances. Tried to do SSH vROPS appliance from SDDC manager, getting below error... Seems some issue with ECDSA key.. Resolution:- SSH to vROPS appliance and retrieve the ECDSA ssh keys as below. Now, we have 2 options to update the correct SSH keys for vROPS appliance on SDDC manager known_Hosts files located at below location.   /root/.ssh/known_hosts   /etc/vmware/vcf/commonsvcs/known_hosts   /home/vcf/.ssh/known_hosts   /opt/vmware/vcf/commonsvcs/defaults/hosts/known_hosts First option is manually copy and paste the SSH key on all the known_hosts files and restart the SDDC manager services and then try to remediate the password again. it will be successful this
Read more

How to Import/Register a VM into vRA portal

-
Image
You can import an unmanaged virtual machine to a vRealize Automation environment. An unmanaged virtual machine exists in a vCenter but is not managed in a vRealize Automation environment and cannot be viewed in the vRA portal . Once you import an unmanaged virtual machine, the virtual machine is managed by using the vRealize Automation management interface. you can see the virtual machine on the Managed Machines tab or the Items tab. Please follow below steps to Import/Register VM into a vRA portal. Log in to vRealize Automation as a fabric administrator and as a business group manager. If you are importing virtual machines that use static IP addresses, prepare a properly configured address pool.  If you use bulk import to import a virtual machine with a static IP address that is allocated to another virtual machine, the import fails. Create a Blueprint and should not have even network attached as well. See below snapin. Create Network profile that shoul
Read more