September 10, 2017

Visibility of private VMware services on the public internet

Background

VMware services like ESXi hosts and vCenter are services you would normally place in your private networks. Preferably not in your average internal networks, but in your management network along with other services you provide management for. VMs on the other hand are placed in other networks like internal networks, DMZ networks and similar.

Results

By using Shodan I was able to find 4644 (probable) vCenter Servers (servers with the vsphere web client on port 9443):

With the same search engine it's also easy to find computers that are hosting VMs (ESXi, Workstation, Player, by looking for computers with VMware Authentication daemon (providing VNC) on port 902) and the number is quite astonishing:

Most of these systems are not identified by OS (only ~3k of ~200k), but I suspect that a big majority here is hosted products and not ESXi hosts. We can also tell by the version of the VMware Autherntication Daemon that some of the systems are dated with pre 2009 versions.





We can even search for the VMware Self Signed certificate that is installed by default by most VMware services:
By looking at the certificate information you're also able to either get the internal ip address or the local hostname of the service.

By monitoring these queries over some time I've observed that the number of systems reported are changing on a semi weekly basis by up to 20%. Some times up and sometimes down.

By using Richard Garsthagens tool https://github.com/AnykeyNL/vmware_scanner you can also reveal that many of these systems are very old.

Conclusion

That these systems are available on the internet may not seem like a big issue at the moment as things may seem to be working as expected. 

The main reason it is not recommended to expose these services is that this is the doorway to manage and control all of your virtual environment. All you need is a valid username and password. Those who have monitored the logs of internet exposed systems know that automated systems will try to login on a regular basis.  

We also know that even though some services are regarded safe and have no known security holes over many years they still may turn out with some hole at some point and can potentially give people access without a valid username and password.

Many of the systems exposed seem to be very old and we all know that is bad karma to leave an old unpatched system open to the internet.

No comments:

Post a Comment