The Nexpose coverage team is dedicated to providing weekly updates to the Nexpose vulnerability database so that you can have the assurance that your assets are protected against the latest security vulnerabilities. For this week's release, the coverage team is proud to present a complete overhaul for our VMware ESX/ESXi content.
Why? You may ask
In our old coverage model, we connected to the ESX or ESXi server via an authenticated SSH session to retrieve a list of installed patches on the server, and compared that list against the patches found in each VMware security advisory. This coverage model created challenges from time to time, because VMware regularly superseded their security patches with newer ones. For example, installing the update pack 3 for ESX 3.5 on a new ESX 3.5 server would contain cumulative fixes for all previous security advisories, but Nexpose would only see the update pack installed and could not determine the list of patches that were superseded. Furthermore, since version 5.0 of ESXi, VMware has made it impossible to list installed patches via the command line interface. This change forced us to look for alternative methods.
How we made it simpler
While investigating possible solutions to this problem, we discovered that VMware had switched to a different method for releasing security patches. Instead of releasing "patches" to fix individual binaries in the traditional sense, each VMware patch for ESX/ESXi now comes as a complete kernel image containing cumulative fixes, along with a build number that is incremented for each patch. We decided to leverage this information to greatly reduce the complexity of our coverage model. Now we only need to know the kernel build number of the target ESX or ESXi server, and compare it against the build number that is listed in the patches for each VMware security advisory. This means that you will see more reliable and accurate scan results, with faster scan times to boot (no more retrieving list of installed patches)!
Administrative credentials optional
To make life even easier, this build number information is advertised right in the HTTPS banner of the ESX/ESXi server web portal, which is now fingerprinted by Nexpose. That's right, Nexpose no longer requires administrative credentials to ESX/ESXi servers to provide coverage for the latest VMware security advisories! All you have to do is include port 443 in your Nexpose scan template so that the HTTPS banner on your ESX or ESXi server gets fingerprinted. Please note that although providing administrative credentials is now optional for VMware ESX/ESXi coverage, a credentialed scan will result in more accurate fingerprinting and a reduced chance of false positives.