ESXi password vulnerability reborn

The title is kind of misleading but I have to catch your attention somehow.

Anyway, I have to tell you a brief summary before I can drive to the point

A year ago I came across a very interesting vulnerability about ESXi password (http://www.virtuallyghetto.com/2010/07/esxi-41-major-security-issue.html).  The vulnerability states that ESXi 4.1 only process the first 8 character of the password and disregard the rest.  This is due to the default pam_passwdqc plug-in that ESXi use. Vmware responded and came up with a patch (ESX410-201010414-SG) immediately right after.  I, being a good IT that I am, responsibly applied the patch and path myself on the back and said “Well done”, the world is a much safer place now.

Fast forward to today and we are now using ESXi5 and that article is old news already.  A new coworker reported that he can not get in to vCenter Server Appliance root user.  Yet he can use the same password he’s using and connect to ESXi through Vsphere Client, so he pointed out that he knows that he is using the correct password.  Valid point, who can argue with that.

A light bulb came up and I remember the old blog article that I labeled in my head as old news.  He has typing the 12th character incorrectly.  For example, if the correct password is I;@m;Sup3rm@n and you are typing I;@m;Sup3rman, then ESXi only checks the first 8 character.  I know what you are thinking, wait a minute, you said that you patch the machine already.  It turns out (not Vmware verified yet) that even if you apply the patch and upgrade to the new ESXi5 if you never change your password since post vulnerability, then your box is still vulnerable (again purely my theory).  I prove it by standing up a new ESXi5 from scratch and it tested good.

Of course, this vulnerability is not a big deal to you and I (right?) since management network is ACL’ed; RFC1918/ not NAT; and protected by the perimeter FW/IPS.  This is why it becomes important to separate and protect your ESXi management network (and storage).

Lesson learned: Never label good article as old news.  Had I not know about that article, it would have been hard to explain the behavior.

The value in keeping up with technology can not be emphasize enough, reading is winning.

Source:

http://www.virtuallyghetto.com/2010/07/esxi-41-major-security-issue.html

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012033

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s