Vulnerability assessment is the process of analyzing and identifying design and configuration flaws in a system that can be exploited/misused to gain unauthorized access by attackers. Vulnerability assessment is a critical part of application, hardware and system design.
But is vulnerability assessment only required during system design and initial deployment? Well, with the evolving demands of datacenters and on-cloud solutions, combined with the increasing threats to IT infrastructure; it is essential to perform periodic vulnerability assessments and timely mitigations of discovered weaknesses for a healthy cybersecurity posture of your infrastructure.
!!DISCLAIMER!!: All assessments shown in this blog post were performed on out-of-box setups, before applications of any security controls. Any resemblance to any live setup is purely coincidental. In addition, all examples shown are for ethical purposes only and must not be used without proper written permissions from all parties involved.
In the first part of this series, we will be looking at the type of vulnerability assessments we will be discussing about in this series and some tips and tools you can use for the manual vulnerability assessments of vSphere infrastructure.
For the scope of this discussion, there are two types of vulnerability assessments, internal and external:
1- Internal Assessment: This type of assessment is typically performed inside the security perimeter to identify vulnerabilities and exposures within the internal network. This type of assessment can help identify vulnerabilities on individual devices and systems within the network, which is essential for Defense-in-Depth architecture.
2- External assessment: This type of assessment is performed outside the network perimeter, or the part of the network exposed to the internet, to assess the vulnerabilities exposed to the outside world. This type of assessment is more helpful in understanding the firewall/router vulnerabilities and configuration flaws.
For the scope of this blog post, we will be assuming that the assessment setup is connected to the internal network for assessing the following:
- Discover live hosts in the network
- Identify hosts running ESXi in the network
- Discover open ports and services running on vCenter server.
- Identify vulnerabilities on the vCenter server.
There are two ways to go about a vulnerability assessment-- Manually or by using automated vulnerability scanning tools. In the first part of this series, we will be looking at tools that can be used for manual vulnerability assessment. In the second part, we shall take a look at tools that can be used for automated vulnerability assessment.
Let us look at the outline of our sample 'manual' vulnerability assessment procedure:
1- Discover live hosts in the internal network- We will use NAMP tool for this.
nmap -sn -PE <your subnet range>
Notice that, the command output also reveals the NIC card vendors enumerated from the MAC addresses. This can be used to identify ESXi based virtual machines in the scanned environment.
2- Discover hosts running ESXi in the network, using NMAP:
nmap -O -T4 <list of live hosts discovered in previous step>
In the command output, you would find OS guess/ aggressive OS guess results. Typically, for ESXi hosts, you might not get an exact match, but you would get a guess on the OS. As shown in the example above, this tool was run on a ESXi 7 host, but the version in the nmap output shows as ESXi 6.0. Since this is an OS guess output, you will not get an exact match, but the nearest OS match; which might be enough to just identify hosts running ESXi.
3- Identify ports and services running on ESXi/vCenter servers, using NMAP:
nmap -sV -p 0–65535 -Pn <ESXi/vCenter FQDN/IP>
As you can see from the command output, this command gives you a summary of all ports and services on the target server.
Another important use of this command is that you will notice a "CPE" or Common Platform Enumeration output, which is a standardized way for naming Operating systems, applications and platforms. This can be useful in that it can give you more accurate OS information, in-case the previous command did not return accurate/exact matches:
4- Now that we have identified the OS and services running, we can now use several online resources to discover vulnerabilities in the OS or services running, that may be exploited by attackers to gain unauthorized access.
We can use several online resources to discover vulnerabilities:
- CVE : Common Vulnerabilities and Exposures website:
-NVD: National Vulnerabilities Database: This site provides list of vulnerabilities along with assigned CVSS scores:
NVD also uses the Security Content Automation Protocol (SCAP) through APIs which can be used for vulnerability automations.
- VMSA : Vmware's own, Vmware Security Adivsories:
Using the above resources, one can manually assess OSes, services and applications for vulnerabilities.
The manual vulnerability assessment process requires lot of time, especially when assessing large environments. We will look at the automated vulnerabilities assessment tools in the next part of this series.