Security Concern: Unsecured NCM Endpoints & General Endpoint Inquiry
search cancel

Security Concern: Unsecured NCM Endpoints & General Endpoint Inquiry

book

Article ID: 400070

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

  • For security reasons, we'd like to block access to the following NCM endpoints: 
    https://<ncm>:443/setup
https://<ncm>:443/voyence-bin/setupmgr.cgi
  • Steps to block endpoint setupmgr.cgi and setup in NCM

Environment

NCM 10.1.x

Cause

  • Not secured
  • Unauthorized users can perform operations on it without needing to log in to the service.
  • The UI presented after launching the endpoint suggests that operations performed on it could lead to data leakage (e.g., transferring a copy of the database to a specified FTP/TFTP server) or even the uninstallation of NCM itself.

Resolution

Follow below steps to disable the endpoint https://<NCM>:443/setup

  • Delete below directory 
    rm -rf $VOYENCE_HOME/ui/html/setup
  • Restart vcmaster service 
    service vcmaster restart

Follow below steps to disable the endpoint https://<NCM>:443/setupmgr.cgi 

  • Take backup of httpd.conf file 
    cp $VOYENCE_HOME/conf/httpd.conf $VOYENCE_HOME/conf/httpd.conf_ORIG
  • Edit httpd.conf to add below lines 
    #Disable setupmgr.cgi execution
<Files "setupmgr.cgi">    
SetHandler none    
Deny from all
</Files>
  • Above lines can be added right below 
    <Files ~ "\.(shtml|props)$">
    SSLVerifyClient require
    SSLVerifyDepth 100
</Files>
  • Restart httpd service 
    systemctl restart httpd

Note: setupmgr.cgi endpoint needs to be enabled back during new device server installation.

Powered by Wolken Software