Please see the Workaround section.
Workaround:
To implement the workaround for perform one of the following:
Workaround 1
Remove access to the appliance shell for non-root users:
- Login to the vRealize Automation Appliance with a SSH session and the root user.
- Backup the /etc/passwd file with this command:
cp /etc/passwd /etc/passwd.bkup
- Download the 52377_identify_non_root_users.py.gz script.
- Extract and transfer the script to the appliance.
- Run this command to make sure that the script is executable:
chmod 755 identify_non_root_users.py
- To list all the non-root custom users, run this command and take note of the users listed
python identify_non_root_users.py
If there are no users listed in the console, there are no users to disable.
- Open the /etc/passwd file with a plain text editor using this command:
vi /etc/passwd
- Search for all non-root users identified in step 6.
For example the user test has access to bash.
test:x:1020:100:test:/home/test:/bin/bash
- Change the default shell access from /bin/bash to /sbin/nologin.
For example:
test:x:1020:100:test:/home/test:/sbin/nologin
- Save and exit the file.
To confirm that the workaround works, run these steps:
- Attempt to log into vRealize Automation Appliance using SSH and with a non-root user from step 6.
- Non-root users should no longer be able to log in.
To remove the workaround, run these following steps:
- Login to the vRealize Automation Appliance with an SSH session and the root user.
- Backup the /etc/passwd file by with this command:
cp /etc/passwd /etc/passwd.modified.bkup
- Change the default shell access from /sbin/nologin to /bin/bash for all the non-root users.
For example:
test:x:1020:100:test:/home/test:/bin/bashsh
- Save and Exit the file
Workaround 2
Disable the SSH shell on vRealize Automation Appliance:
- Login to the vRealize Automation Appliance with an SSH session and the root user.
- Once logged in, run these commands:
- /etc/init.d/sshd stop
- chkconfig sshd off
To validate the workaround run these following steps:
- Try to log in from any other machine using SSH to the appliance.
- It should prompt that connection is refused.
To remove the workaround run these steps:
- Log in from the vSphere console as root.
- Start the ssh service with the command /etc/init.d/sshd start.
- Run the command chkconfig sshd on.
Example vulnerabilities that this workaround will be effective against:
- CVE-2017-5753
- CVE-2017-5715
- CVE-2017-5754