ESXi 8.0 prevents the execution of non-installed ELF-binaries
search cancel

ESXi 8.0 prevents the execution of non-installed ELF-binaries

book

Article ID: 344815

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • A non-installed ELF-binary cannot be executed and security warnings are caused, You may see similar entries on the ESXi host:

Scenario 1

/var/log/vmkernel.log
WARNING: UserCartel: InitExecInfo:2870: Execution of non-installed file prevented: <nonInstalledBinary>
UserCartel: InitExecInfo:2875: sh: exec denied: file <nonInstalledBinary> not installed

WARNING: UserCartel: InitExecInfo:2881: Execution of non-installed file: <nonInstalledBinary>
WARNING: User: ExecInstalledOnlyCallback:6942: ExecInstalledOnly has been disabled. This allows the execution of non-installed binaries on the host. Unknown content can cause malware attacks similar to Ra$

  • vSphere - Host Events

Execution of unknown (non VIB installed) binary <nonInstalledBinary> prevented. Unknown content can cause malware attacks similar to Ransomware.

Execution of unknown (non VIB installed) binary <nonInstalledBinary>. Unknown content can cause malware attacks similar to Ransomware.

Scenario 2

/var/log/vobd.log
[vob.uw.exec.installonly.violation] Execution of non-installed file prevented: <nonInstalledBinary>
[vob.uw.exec.installonly.warning] Execution of non-installed file: <nonInstalledBinary>
[esx.audit.uw.security.User.ExecInstalledOnly.disabled] ExecInstalledOnly has been disabled.

This allows the execution of non-installed binaries on the host. Unknown content can cause malware attacks similar to Ransomware

  • vSphere - Issues and Alerts

ExecInstalledOnly has been disabled. This allows the execution of non-installed binaries on the host. Unknown content can cause malware attacks similar to Ransomware.


Environment

VMware vSphere ESXi 8.0
VMware vSphere ESXi 8.0.0

Cause

Scenario 1
  • Files cannot be executed -> execInstalledOnly protection is enabled.

Scenario 2

  • Security warning about executed files and/or unsecure host configuration -> execInstalledOnly protection is disabled.

Resolution

  • Make sure execInstalledOnly is enabled and only executes binaries, which are installed on the host (VIB). Work with any 3rd party vendor to get tools installed as VIB packages, rather than zip files.


Workaround:
  • As an intermediate fix, you can disable the protection.
Note: Please contact VMware support. This solution is not recommended and impacts the security of your system.


Additional Information