Background
VMware services like ESXi hosts and vCenter are services you would normally place in your private networks. Preferably not in your average internal networks, but in your management network along with other services you provide management for. VMs on the other hand are placed in other networks like internal networks, DMZ networks and similar.Results
By using Shodan I was able to find 4644 (probable) vCenter Servers (servers with the vsphere web client on port 9443):
We can even search for the VMware Self Signed certificate that is installed by default by most VMware services:
By monitoring these queries over some time I've observed that the number of systems reported are changing on a semi weekly basis by up to 20%. Some times up and sometimes down.
By using Richard Garsthagens tool https://github.com/AnykeyNL/vmware_scanner you can also reveal that many of these systems are very old.
By using Richard Garsthagens tool https://github.com/AnykeyNL/vmware_scanner you can also reveal that many of these systems are very old.
Conclusion
That these systems are available on the internet may not seem like a big issue at the moment as things may seem to be working as expected.
The main reason it is not recommended to expose these services is that this is the doorway to manage and control all of your virtual environment. All you need is a valid username and password. Those who have monitored the logs of internet exposed systems know that automated systems will try to login on a regular basis.
We also know that even though some services are regarded safe and have no known security holes over many years they still may turn out with some hole at some point and can potentially give people access without a valid username and password.
Many of the systems exposed seem to be very old and we all know that is bad karma to leave an old unpatched system open to the internet.
No comments:
Post a Comment