Security scanners report a security alert regarding the presence of the sh command or non-absolute directory entries in the system $PATH on the vCenter Server Appliance (VCSA). The alert typically references potential privilege escalation due to the shell or insecure directory entries.

Error Message / Scanner Finding:

"Non-absolute (i.e., relative) directory entries (such as "." or ".." or "subdir1/subdir2") have been found in the PATH variable. An attacker could elevate his privileges by creating strategically named executable files (such as "ls") and waiting for a user to execute a command with the same name from a particular current working directory (CWD).User “Unknown command” has the following unwanted entries in his/her PATH: ‘sh’"

The alert is triggered by the incorrect formatting of the system $PATH variable, specifically the inclusion of relative directory entries (such as a dot . representing the current directory).

Ensure the $PATH environment variable contains only absolute paths by completing the following steps:

1. Take a snapshot of the vCenter Server Appliance.
   
   
2. Log in to the vCenter Server Appliance as root via SSH.
   
   
3. Execute the following command to check if the configuration files contain any non-absolute paths:
   
   grep -H "PATH=" /etc/profile.d/* 2>/dev/null a.
   
   Sample of an incorrect, problematic $PATH (Non-Absolute) output:
   
   .:/usr/bin:/bin PATH=~/bin:/usr/local/bin
   
   
4. Clear the current session's path variable by executing:
   
   unset PATH
   
   
5. Update the path for the active session to use absolute directories:
   
   export PATH="/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/java/jre-vmware/bin:/opt/vmware/bin:/opt/vmware/cap/bin"