On July 9th, VMware reported they had discovered a new vulnerability affecting ESXi versions 6.5 and 6.7 exclusively, along with remediation patches. Runecast Analyzer users have been able to detect the issue automatically since July 12th (v2.7.2).
According to VMware, multiple failed login attempts to ESXi would cause the hostd service to become unresponsive, leading to a partial DOS for the management functions in ESXi. By exploiting this issue, a potential attacker with network access to an ESXi host could create a DOS, and if successful, could cause hostd to become unresponsive, leading to the ESXi host being disconnected from vCenter.
Even if the vulnerability doesn’t affect the virtual machines on your host, having unresponsive states prevents any reconfiguration from taking place. Additionally, the host will not be considered for use by services such as Distributed Resource Scheduler (DRS).
First, check if you might be affected by this vulnerability.
Start your free 14-day Runecast Analyzer trial and run a quick automatic scan of your set-up for any ESXi errors. Runecast has been providing recommendations for this resolution, based on all potential sources (including VMware Security Advisory), already since 12 July (Runecast Analyzer v2.7.2).
If you are running either 6.5 or 6.7, it is recommended that you perform the ESXi patches immediately. Also note that if hostd becomes unresponsive due to this issue, the condition can be cleared by restarting the hostd service – you don’t have to reboot the ESXi host. Also, some vulnerability scanners have been reported to trigger the vulnerability by multiple failed attempts to login to ESXi.
There is also a workaround which can be performed on both affected versions. Said workaround described in KB67920 involves modification of the /etc/vmware/hostd/config.xml file.
Runecast Analyzer also provides you with automated hardware compatibility checks against VMware HCL – including ESXi upgradeability simulations, which allow you to ‘see into the future’ whether your hardware will be compatible with your next upgrade.
The newest version of Runecast Analyzer, v2.7.3, was released July 25, 2019. This version further allows you to edit your PCI-DSS security checks, which is helpful for enterprises under strict security regulations which require custom criteria (such as password requirements, timeout or NTP server). All features are available during your 14-days free trial!
Your Runecast Team