How to remediate – VMware ESX / ESXi Remotely Accessible Method Object Browser API

1. Introduction

The VMware ESX / ESXi Remotely Accessible Method Object Browser API vulnerability allows unauthenticated remote attackers with valid credentials to interact with the hypervisor server. This can lead to system compromise and data loss. Affected systems are typically VMware ESX and ESXi servers running web interfaces. A successful exploit could impact confidentiality, integrity, and availability of virtual machines and host resources.

2. Technical Explanation

The Method Object Browser (MOB) API is a debugging tool within VMware ESX / ESXi that allows remote interaction with server objects. It’s disabled by default but can be enabled through the web interface. When enabled, it exposes methods which allow attackers to create and destroy virtual machines or modify system settings. Exploitation requires valid ESXi credentials and appropriate permissions.

• Root cause: The MOB API is accessible remotely when not intended, allowing unintended access to server functionality.
• Exploit mechanism: An attacker with ESXi credentials can use the MOB API via HTTP requests to invoke methods on VMware ESX / ESXi objects. For example, an attacker could create a new virtual machine or destroy an existing one.
• Scope: This vulnerability affects VMware ESX and ESXi servers where the MOB API has been explicitly enabled.

3. Detection and Assessment

Confirming whether your system is vulnerable involves checking if the MOB API is accessible and verifying its configuration.

• Quick checks: Use a web browser to access https://{ESXi_host}/mob/. If you see an XML interface, the MOB API is enabled.
• Scanning: Nessus vulnerability ID cd83d552 can detect this issue. Other scanners may have similar checks.
• Logs and evidence: Check ESXi host logs for any access attempts to the /mob directory. These are typically located in /var/log/vmkernel.log, but specific logging depends on configuration.

curl -k https://{ESXi_host}/mob/  #Check if MOB is accessible

4. Solution / Remediation Steps

The primary solution is to restrict access and limit privileges for ESXi accounts. If the MOB API isn’t needed, it should remain disabled.

4.1 Preparation

• No services need to be stopped.
• Roll back plan: Re-enable the MOB API if necessary via the web interface, or restore from the snapshot. Change windows should be scheduled during off peak hours and approved by system owners.

4.2 Implementation

1. Step 1: Ensure only valid administrators have accounts on the ESXi host. Remove any unnecessary accounts.
2. Step 2: Limit the use of local accounts to trusted administrators only.
3. Step 3: Use built-in Role Based Access Control (RBAC) capabilities to define granular permissions for each administrator account.

4.3 Config or Code Example

Before

# No specific configuration example as enabling/disabling is done through UI.  However, an insecure setup would be any account with broad permissions.

After

# Ensure accounts have only the minimum required privileges using RBAC roles in the ESXi web interface. For example, a user should not have "Administrator" role unless absolutely necessary. 

4.4 Security Practices Relevant to This Vulnerability

Several security practices directly address this vulnerability type.

• Practice 1: Least privilege – Granting only the minimum required permissions reduces the impact if an account is compromised.
• Practice 2: Secure defaults – Keeping unnecessary services disabled by default minimizes the attack surface.

4.5 Automation (Optional)

PowerCLI can be used to manage ESXi user accounts and roles, but requires careful scripting to avoid unintended consequences.

# Example PowerCLI script snippet (use with caution):
# Get-VMHost -Name {ESXi_host} | Get-UserAccount | Where-Object {$_.Privileges -contains "Administrator"} #Identify users with admin privileges.  Further scripting would be required to modify roles.

5. Verification / Validation

Confirm the fix by verifying account permissions and re-testing accessibility of the MOB API.

• Post-fix check: Use a web browser to access https://{ESXi_host}/mob/ with an account that *should not* have access. You should receive an authentication error or a “forbidden” response.
• Re-test: Run the Nessus scan again; it should no longer report the vulnerability.
• Smoke test: Verify core VM operations (power on, power off, create snapshot) still function with accounts that have appropriate permissions.
• Monitoring: Monitor ESXi host logs for any unauthorized access attempts to the /mob directory.

curl -k https://{ESXi_host}/mob/ #Should return an authentication error or forbidden message if fixed.

6. Preventive Measures and Monitoring

Regular security assessments and a robust patch management process are key to preventing this issue.

• Baselines: Update your VMware ESXi security baseline to include disabling the MOB API unless specifically required, or strict RBAC controls if enabled.
• Pipelines: Include checks in your CI/CD pipeline to ensure new ESXi deployments adhere to your security baseline.
• Asset and patch process: Implement a regular patch review cycle for VMware ESXi updates and security advisories.

7. Risks, Side Effects, and Roll Back

Disabling the MOB API may impact debugging capabilities. Incorrect RBAC configuration can disrupt VM operations.

• Risk or side effect 1: Disabling MOB API could hinder troubleshooting if it’s used for diagnostics.
• Risk or side effect 2: Incorrectly configured RBAC roles might prevent legitimate administrators from performing necessary tasks.
• Roll back: If disabling the MOB API causes issues, re-enable it through the web interface. If RBAC configuration is incorrect, revert to previous role assignments. Restore from snapshot if needed.

8. References and Resources

• Vendor advisory or bulletin: http://www.nessus.org/u?cd83d552