Critical VMware VMSA-2021-0010 (PATCH YOUR vCENTER) – Critical

What is VMSA-2021-0010 vulnerability?

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

IMPORTANT:

The affected Virtual SAN Health Check plug-in is enabled by default in all vCenter Server deployments, whether or not vSAN is being used.

Implementation Time: Immediate

These updates fix a critical security vulnerability, and it needs to be considered at once. Organizations that practice change management using the ITIL definitions of change types would consider this an “emergency change.” All environments are different, have different tolerance for risk, and have different security controls & defense-in-depth to mitigate risk, so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act.

Why you are affected by VMSA-2021-0010?

The VMSA outlines two issues that are resolved in this patch release. First, there is a remote code execution vulnerability in the vSAN plugin, which ships as part of vCenter Server. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not.

Second, improvements were made to the vCenter Server plugin framework to better enforce plugin authentication. This affects some VMware plugins, and may also cause some third-party plugins to stop working. VMware partners have been notified and are working to test their plugins (most continue to work), but there may be a period after updating when a virtualization admin team may need to access backup, storage, or other systems through their respective management interfaces and not through the vSphere Client UI. If a third-party plugin in your environment is affected, please contact the vendor that supplied it for an update.

How to Protect your environment?

Don’t think twice patch your vCenter immedietly, this is the fastest way to resolve this problem, doesn’t involve editing files on the vCenter Server Appliance (VCSA), and removes the vulnerability completely. From there you can update any plugins as vendors release new versions.

Steps to Patch your vCenter server:

There are three ways to patch the vCenter,

To know more about the vulnerability please refer the below links,

https://www.vmware.com/security/advisories/VMSA-2021-0010.html (Details about the issue and workaround).

https://via.vmw.com/vmsa-2021-0010-communities (Right place for your queries).

https://via.vmw.com/vmsa-2021-0010-blog (Official VMware Blog)

Enabling logging for Likewise agents on ESXi

If you are planning on adding your ESXi host to Active directory Likewise agents are used on ESXi 5.x and ESXi 6.x and ESXi 7.x to facilitate joining the host to an Active Directory domain and subsequent user authentication attempts.

When you are having trouble adding the ESXi host to the Active directory, the logs of likewise agents are very helpful during the troubleshooting, but the likewise agent do not generate a log file by default.

Please follow the below steps to enable the logging for the likewise agents.

Note: Enabling likewise logging increases the space in the /var/log. This should be enabled only when diagnosing an issue and then disable the logging to prevent out of space issues.

ESXi 6.x and 7.X-the logging for Likewise agents are configured using the command-line.

To confirm if the current Likewise agent logging settings,

  1. Log in to the ESXi host as root using the console or SSH.

2. Start the lwsmd service by running the below command,

/etc/init.d/lwsmd start

3. Use the below command to set the log file location:

/usr/lib/vmware/likewise/bin/lwsm set-log file /var/log/likewise.log

To confirm the current log file location use the below command:

/usr/lib/vmware/likewise/bin/lwsm get-log

(/var/log/likewise.log)

4. Use the below command to set the logging level:

/usr/lib/vmware/likewise/bin/lwsm set-log-level loglevel

There are different valid logging levels as below,

  • always
  • error
  • warning
  • info
  • verbose
  • debug
  • trace

Ex: /usr/lib/vmware/likewise/bin/lwsm set-log-level INFO

How to setup a Microsoft CA on windows server 2016 – pictorial representation

We are going to setup a Microsft CA in windows server 2016, this is an article which will give you step by step pictorial representation on how to setup the CA. Yes, the article is pretty long with pictures which will make your work simpler.

Setup a Microsoft CA Authority:

The below are the three steps to setup the Microsoft CA authority

a. Install Certificate Authority on Windows Server 2016

b. Configuring certificate Authority in Windows Server 2016

c. Setting up OSCP.

Perquisites:

  1. The server must be joined to the domain.
  2. License the Server

Steps to setup Microsoft CA authority:

a. Install Certificate Authority on Windows Server 2016

  1. Open Server Manager

2. Select Add Roles and Features and Click Next

3. Select the installation type as Role based or feature based installation:

4. Select the server from the server pool:

5. Select Active Directory certificate services – Select and click Next -> Add Features

6. We are creating a Certificate Authority, Certificate authority Web Enrollment, Online responder as part of Role services.

what is Online Responder?

It’s a role that runs on the server whenever a cert is used by a client it checks if the certificate is valid or not so we can monitor the validity of the certificates in the environment:

Now in AD-CS click -> Next

7. Select the role services Certificate Authority, Certificate authority Web Enrollment, Online responder.

Certificate Authority, Certificate authority Web Enrollment, Online responder

7. We are enabling the Web Server Role (IIS):

8. Select the below Roles as per the Wen Server Role:

9. Click -> Next. We successfully installed the Certificate Authority Role on the machine.

We successfully installed the Certificate Authority Role on the machine.

b. Configuring certificate Authority in Windows Server 2016

1. Now we must do Post configuration after the install, click on the Falg Icon at the right side top corner of the page and select Configure AD Certificate services.

2. Select the Super user Administrator account as credentials.

3. Go to Role Services -> Select Certification Authority -> Next

4. Now select Setup Type -> Enterprise CA to make sure that it can isseu certificates

5. Select CA type -> Root CA – this will be the first and may be the only Certificate Authority.

6. Select Private Key -> Create a New private key (We are selecting this option because we do not have a private key).

7. In the Cryptography options

Cryptographic Provider : RSA#Microsoft Software Key Storage Provider

Key Length: 2048

Hash Algorithm for signing certificates: 2048

8. Create the CA Name -> Next

9. Select the validity period for the root certificate as 10 years.

10. Select the location to save the certificate Database,

11. Confirm all the details and click -> Configure

12. Certificate Authoirty configuration is successful.

13. Let’s continue to configure Certificate authority Web Enrollment, Online responder.

14. Confirm the Roles and click -> Conifgure

15. Configuration of Certificate authority Web Enrollment and Online responder is successful.

c. Setting up OSCP:

  1. Click on Start ->mmc (Microsoft Management Console)

2. Click on File -> Add/Remove snap-in or Press Ctrl + M.

3. Select -> Certificate templates, Click on Add to the console

4. Now click on Certificates, Click on Add

5. Select Certificates Snap-in -> Computer account

6. if the certificate Authority is installed use another computer, In our case we have the certificate Authority in the server so we select Local computer,

7. Select Certiifcate Authority Click -> Add and Click OK

8. Select -> Certification Authority – Expand and select Certificate Templates Right click on Manage

9. Select OSCP Response Signing -> properties

10. Select the security Tab -> click on ADD

11. Click on Object types and select Computers

12. Select the server AD machine and click on check name and then click -> OK

13. Select AD server and provide Full control

14. Select the gsslabs-CA, right click and select properties

15. Select -> Extensions tab

16. Select AIA (Authority Information Access):

17. Click on ADD -> Enter the location as https://ad.gsslabs.org/ocsp -> click OK

18. Click OK -> Click on yes to restart the services.

Now your Certificate Authority is completely configured. This CA can be used to provide certifcates to the machines and the website.