Vulnerability Scans of VMWare ESXi hosts

Our VM admin disabled SSH to the VMWare hosts as this is now best practice.
I was wondering how do others in the community go about scanning VMWare hosts?

It was mentioned to me at some point to use port 443,Any help and ideas are appreciated.

2 Likes

Hi Andy! We’ve got some info here regarding discovery of VMware hosts. For dynamic discovery, the console can either connect to a vCenter server or connect directly to ESXi hosts. That page also lists the types of connections that are supported.

When it comes to vulnerability scans, you’re right that the scanner needs access to port 443 to get all the necessary info. And in this case, SSH should actually be disabled since it’s not required for vuln scan purposes. If you’re looking to do policy scans for these hosts, then SSH would need to be enabled (something that we want to update but no current timeline for it).

3 Likes

Following this. We have some that have 443 opened they discovered we scanned but no creds still have certainty of 90 are they good to go, how do we get them at 100 add creds? I thought i was going crazy by seeing the vul checks in logs without creds. I saw couple of articles that indicated esx stuff is already in Rapid7 Insightvm…so creds are optional? Am i reading that right?

I have to add that we are using port 443 for communication with the ESXi hosts. The discovery is not an issue…that part works. But, only vulnerabilities at the OS (Linux) level are being reported.
So, I am not sure something is missing or if this is by default. Maybe a VMWare experienced engineer/admin can chime in?

+1 for this topic.

Are we missing out on any authenticated vulnerability checks if we are not able to connect via SSH to ESXi host?

2 Likes

I double checked this with the team, and they confirmed that there’s no need to enable SSH or supply creds for vulnerability checks on these types of hosts. The scanner should be able to pull enough information for accurate vulnerability assessments via the SOAP API on port 443.

I’m not 100% sure about this one, but I’ll see if someone else has some info they can share.

3 Likes

they confirmed that there’s no need to enable SSH or supply creds for vulnerability checks on these types of hosts. The scanner should be able to pull enough information for accurate vulnerability assessments via the SOAP API on port 443.

Great news! thank you for confirming

3 Likes

Is it still the case the SSH would need to be enabled in order to do policy scans against ESXi?

That’s correct! You’d still need SSH enabled for policy scans of ESXi.

1 Like

Getting back to this subject as I keep getting nowhere…
Does anybody have some guidelines / instructions how to do the assessments via the SOAP API?
I would need something that I can go with to the VM admin. Any help is appreciated.

1 Like

Hi Andy, I am pretty sure no additional configuration is needed. Someone can correct me if I’m wrong, but I think the scanner just pulls the version number from the VMWare SOAP API without credentials. On our system, it just works.

1 Like

Thank you for replying.
I just cannot figure out how IVM would connect to VMWare. I cannot find anything like an example or instructions of some sort.

1 Like

This has been bugging me for a while, and we were in the process of getting a scripted enable ssh>scan>disable ssh up to ensure we have a ‘proper’ authenticated scan of our ESXi hosts.

However after seeing this thread and checking our results it does appear that the HTTP SOAP is giving the same results as an authenticated SSH scan.

We have 3 hosts we have local accounts on via ssh whilst we test this, that login via ssh successfully and ‘authenticate’ scan showing a 1 on Node fingerprints.

Comparing the results on these hosts to all of the others that dont have local creds, and instead are showing a 0.9 via HTTP SOAP, shows me identical results.

So it does appear that auth via SSH for Vuln Scan (not policy scan) is not required, and the HTTP SOAP method is ‘good enough’, and we dont need to chase that elusive ‘1’ for ESXi

esxisoap

2 Likes

I have the same issue. I have as source HTTP SOAP and a certainty of 0.9. And yet, no vulnerabilities are shown.
It seems, however, be working for VMware ESXI Server 6.0.0.
The majority of hour VMWare ESXI servers are version 6.7.0.
Anybody having same experience?

1 Like

OK, community, I have an update on the EXSI host scanning issue.

From support: “support for Esxi up to and including version 6.0 but no proper support for later versions”
A feature request exists now with Product Management. No ETA when and if it goes into production, but now I know what the issue is and hopefully we get this enhancement soon in the product.

1 Like

Hi Andy, what is the article link for procedure/steps for this HTTP SOAP authentication scan method for InsightVM? I tried key word search but not getting useful results. Much appreciate in advance pointing me to the right procedure. Thanks.

There is no additional configuration needed. IVM will connect to ESXi via HTTP SOAP without any setup.

1 Like

Rapid7 support indicated the same to us when we queried why no vulnerabilities were detected for ESXi7 hosts. Given v7 has been GA for nearly 2 years (and 6.x longer), and the market adoption of VMWare vSphere, we find this staggering. We don’t just need a product that tells us we have Windows vulnerabilities that we already know about and patch monthly anyway. Come-on R7!

4 Likes

I could not agree more. Well said.

AGREED.
I will be setting up vuln scans against our VMware ESXi hosts next and this was helpful.