1. Introduction
The VMware ESX / ESXi host Directory Configuration Files Information Disclosure vulnerability allows unauthenticated access to sensitive configuration files on a remote system. This can expose details about your virtual infrastructure, potentially aiding attackers in planning further compromise. Affected systems are typically VMware ESX and ESXi hosts running web services. Confidentiality is most at risk, with potential impacts to integrity and availability if exploited as part of a wider attack.
2. Technical Explanation
The remote VMware ESX / ESXi host makes configuration files available in the /host directory via its web interface. These files contain sensitive information about the host’s setup, which should not be publicly accessible. An attacker can simply browse to this directory and download the contents without needing any credentials. The Common Weakness Enumeration (CWE) identifier for this issue is CWE-200: Information Disclosure. A realistic example involves an attacker downloading configuration files to identify internal network addresses or service accounts used by the virtual infrastructure.
- Root cause: Insecure default web directory configuration allowing access to sensitive files.
- Exploit mechanism: An attacker uses a web browser to navigate to the /host directory on the ESXi host’s web interface and downloads the exposed configuration files. No authentication is required.
- Scope: VMware ESX and ESXi hosts with the default web directory configuration enabled. Specific versions are not explicitly stated in available information, so all installations should be checked.
3. Detection and Assessment
You can confirm this vulnerability by checking if the /host directory is accessible via a web browser. A thorough method involves attempting to download files from that directory.
- Quick checks: Open a web browser and navigate to
https://[ESXi_HOST_IP]/host. If you can view or download files, the system is vulnerable. - Scanning: Nessus plugin ID 16829 may detect this vulnerability. Other scanners may have similar checks; consult your scanner documentation.
- Logs and evidence: Web server logs on the ESXi host may show requests for files in the /host directory from external IP addresses. These are typically located at `/var/log/vmkernel.log`.
curl -I https://[ESXi_HOST_IP]/host4. Solution / Remediation Steps
Disable or secure the /host web directory to prevent unauthorized access to configuration files. These steps should be performed during a scheduled maintenance window.
4.1 Preparation
- Ensure you have console access in case of issues. Roll back by restoring from the snapshot taken earlier.
- Changes should be approved by the IT security team or system owner.
4.2 Implementation
- Step 1: Connect to the ESXi host via SSH using an administrator account.
- Step 2: Edit the web directory configuration file, typically located at `/etc/vmware/config.xml`.
- Step 3: Comment out or remove the section that enables access to the /host directory.
- Step 4: Restart the management services for the changes to take effect. Use the command
service-control --start vmware-ui.
4.3 Config or Code Example
Before
<webui>
<hostDirectoryEnabled>true</hostDirectoryEnabled>
</webui>After
<webui>
<!-- <hostDirectoryEnabled>true</hostDirectoryEnabled> -->
</webui>4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this type of issue. Least privilege reduces the impact if an attacker gains access, and secure defaults minimise initial exposure.
- Practice 1: Implement least privilege principles for all accounts accessing the ESXi host.
- Practice 2: Regularly review default configurations to ensure they are as secure as possible.
4.5 Automation (Optional)
Ansible can be used to automate this change, but caution is advised when modifying configuration files directly.
---
- hosts: esxi_hosts
tasks:
- name: Disable host directory access in config.xml
lineinfile:
path: /etc/vmware/config.xml
regexp: '<hostDirectoryEnabled>true</hostDirectoryEnabled>'
state: absent
become: true
5. Verification / Validation
- Post-fix check: Open a web browser and navigate to
https://[ESXi_HOST_IP]/host. You should receive an error message indicating access is denied or the resource is not found. - Re-test: Repeat the quick check from Section 3; you should no longer be able to view files in the /host directory.
- Smoke test: Verify that other web interface functions, such as host management and virtual machine control, are still working correctly.
curl -I https://[ESXi_HOST_IP]/host6. Preventive Measures and Monitoring
Regular security baselines and automated checks can help prevent similar issues in the future. For example, update your CIS benchmark or GPO/Intune settings to include this configuration change.
- Baselines: Update a security baseline or policy to enforce disabling access to the /host directory on all ESXi hosts.
- Pipelines: Add checks in CI or deployment pipelines to scan for insecure configurations, such as open web directories.
- Asset and patch process: Implement a regular patch and configuration review cycle to identify and address vulnerabilities promptly.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Custom scripts accessing files in /host may break; review and update these scripts if necessary.
- Roll back: 1) Stop the management services using
service-control --stop vmware-ui. 2) Restore the ESXi host from the snapshot taken before making changes. 3) Restart the management services usingservice-control --start vmware-ui.
8. References and Resources
- Vendor advisory or bulletin: No specific vendor advisory found for this configuration issue.
- NVD or CVE entry: https://cwe.mitre.org/data/definitions/200.html
- Product or platform documentation relevant to the fix: <