Beep boop - this is a robot. A new show has been posted to TWiT…
What are your thoughts about today’s show? We’d love to hear from you!
I’m so curious about the attack vector for those who have been compromised by ESXiArgs. I can’t imagine a scenario where it’s desirable or necessary to have your hypervisor exposed to the WAN in such a way that the SLP service would be exposed.
My thinking regarding the outsized number of OVH provider infections - I’d guess they provision a default ESXi instance upon user request and make it available via a dedicated public IP. Not an uncommon practice for hosting providers. At that point it’s up to the end user to manage and secure their server, and I’m guessing many customers probably don’t realize this.
As far as the patching process for ESXi/vSphere - it’s really not that bad if you have a deployment that follows some basic best practices. The hypervisor will typically need to be rebooted, but vSphere allows workloads to be live-migrated to alternate hardware to avoid any downtime to a guest workload (as long as you’re running more than one ESXi server).
P.S - VMware does have a system in place to monitor customer environments for missing patches called VMware Skyline. However, it’s a service that the customer must deploy in their environment. To be fair to VMware - they did patch this more than a year ago, and sent out notifications and workarounds via their security advisory mailing list.
I don’t know if I share Steve’s disgust toward VMware in this case - what more should they be doing here? Remotely altering people’s server configs when they don’t apply patches or basic security practices? An auto manufacturer can issue a recall but they can’t repo a consumer’s car because of it.
1 Like
I just finished listening to the podcast and had the same question. I would have thought that exposing a hypervisor directly to the internet would be a massive no no from a security perspective and I can’t think of a scenario where this would be considered a good idea. There are plenty of hardened secure remote access solutions around if you need to login remotely.