Security Vulnerability assessment reports Remote web server discloses information via HTTP headers on vCenter Appliance
search cancel

Security Vulnerability assessment reports Remote web server discloses information via HTTP headers on vCenter Appliance

book

Article ID: 393658

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The HTTP headers sent by the remote web server disclose information that can aid an attacker, such as the server version and languages used by the web server.
  • Affected vCenter are running web servers with the following information:

• Server: TwistedWeb/17.1.0

VCSA:5580

 

• Server: lighttpd/1.4.45

VCSA:5480

Environment

vSphere ESXi 7.x

vSphere ESXi 8.x

Resolution

For TwistedWeb/17.1 on port 5580, we can disable the pod service.

The pod service is a service running inside the vCenter Server (VC) that acts as an orchestrator for the Skyscraper service. It is responsible for adding or removing hosts to an SDDC and for patching or upgrading it. These requests primarily originate from the Autoscaler and Fleet Management services, which serve as the front-end for the pod service.

The pod service can be disabled in any on-premises environment to mitigate weak ciphers. However, it is only required for cloud environments, such as VMware on AWS (VMW on AWS).

Note: Please take backup of the config file or snapshot of the VC before making changes 

Action Plan for TwistedWeb/17.1 on Port 5580:

SSH into the vCenter Server. 

Stop the VMware pod service using the following command:

service-control --stop vmware-pod

Disable the VMware pod service using the following command:

systemctl disable vmware-pod.service 

Action Plan for Lighttpd/1.4.45 on Port 5480: 

Add following in "/etc/applmgmt/appliance/lighttpd.conf" file and run "systemctl restart vami-lighttp"

 

$HTTP["request-method"] =~ "^(OPTIONS)$" {

    url.access-deny = ( "" )

}

server.tag = "vami"

 

For HTTP TRACE method on vCenter ports 9084 and 9087: 

Some third-party tools for vulnerability scans might report the HTTP TRACE method on vCenter ports 9084 and 9087 as vulnerable. This issue is resolved in 7.0 U3o.

Please refer to the URL:  VMware vCenter Server 7.0 Update 3o Release Notes for more information.

After making above recommended changes, the requirement to configure the web servers to remove any form of information disclosure that displays the version details is fulfilled

PORT     STATE  SERVICE      VERSION
5480/tcp open   ssl/http     lighttpd
5580/tcp closed tmosms0
9084/tcp open   aurora?
9087/tcp open   ssl/classic?

Powered by Wolken Software