In December, VMware posted a security bulletin VMSA-2019-0022 which describes a serious vulnerability in ESXi 6.x (and Horizon DaaS, but that is not covered in this blog post) that allows an attacker to remotely execute code on the ESXi host, as long as they have network connectivity.

This is of course extremely bad, and landed the vulnerability a CVSSv3 score of 9.8 on a scale to 10.0. Details in screenshot below:

As in most cases there is no need to worry as long as you’ve done your homework ahead of time. In this case, the following mitigating factors should help you:

  1. The ESXi hosts shouldn’t be reachable over the network from anywhere except for the vCenter Server and perhaps some other infrastructure applications that need to interact directly with them.
  2. You should have policies and procedures in place that govern how and when you can apply the security update. ESXi hosts are easy to patch, and you can do it without interrupting the servers/applications running on them. Do follow your established procedure for testing and evaluating the patch, albeit use the emergency timeline if your ESXi hosts are reachable from other clients/servers.
  3. There is a supported workaround available that you can use until you’ve gotten the security patch tested and installed. It’s described at VMware KB76372 and involves stopping the SLP service

If you are unsure of how to design and implement the technical architecture and organizational procedures for mitigating this and future security vulnerabilities, get in touch with us and we’ll help you get it in place.