VCTR-67-000025 - The vCenter Server must disable the managed object browser (MOB) at all times when not required for troubleshooting or maintenance of managed objects.

Information

The MOB was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities.

The MOB provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging and could potentially be used to perform malicious configuration changes or actions.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If the datastore browser is enabled and required for object maintenance, no fix is immediately required.

Disable the managed object browser by editing the /etc/vmware-vpx/vpxd.cfg file.

Edit the file and locate the <vpxd> ... </vpxd> element.

Add or update the following element in the vpxd section:
<enableDebugBrowse>false</enableDebugBrowse>

Note: It is not present by default and is case sensitive.

Restart the vCenter Service to ensure the configuration file change(s) are in effect by running the following command on the vCenter appliance:

service-control --restart vmware-vpxd

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-243091r879887_rule, STIG-ID|VCTR-67-000025, Vuln-ID|V-243091

Plugin: VMware

Control ID: 07c12808ac0b5667fe68cd5a0dd376fc7825e1d3d9ac4dfda89da30d7dada0f9