Detections
Analytics

VMware ESX / ESXi Remotely Accessible Method Object Browser API

critical Nessus Plugin ID 121352

Language:

Synopsis

A method object browser API is accessible on the remote VMware ESX / ESXi host.

Description

The remote VMware ESX / ESXi host has a Method Object Browser API accessible in the /mob directory on the web interfaces. This is disabled by default. If enabled, the MOB allows remote attackers to invoke methods on VMware ESX / ESXi objects, including create and destroy. This can allow a remote attacker to interact with the hypervisor server. ESXi credentials and permissions are required to use the MOB.

Solution

Ensure only valid administrators have accounts and privileges on the ESXi host. Use of local accounts should be limited only to the most trusted administrators and should be using the built in RBAC capabilities. If the MOB is enabled then this will limit the scope of what can be done using the MOB. Note: The MOB is disabled by default on ESXi.

See Also

http://www.nessus.org/u?cd83d552

Plugin Details

Severity: Critical

ID: 121352

File Name: vmware_esx_mob_directory_remote_api.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 1/24/2019

Updated: 9/30/2019

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score from an in depth analysis done by tenable

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/o:vmware:esx, cpe:/o:vmware:esxi

Excluded KB Items: global_settings/supplied_logins_only