kb.vmware.com
Open in
urlscan Pro
2600:1400:d:499::2ef
Public Scan
URL:
https://kb.vmware.com/s/article/89619
Submission: On October 03 via manual from CA — Scanned from CA
Submission: On October 03 via manual from CA — Scanned from CA
Form analysis 0 forms found in the DOM
Text Content
Support Assistant
Support Assistant
* START OVER
* END CHAT
* PRIVACY POLICY
SUPPORT ASSISTANT
POWERED BY CONNECT AI
Loading
×Sorry to interrupt
This page has an error. You might just need to refresh it.
[NoErrorObjectAvailable] Script error.
Refresh
COOKIE PREFERENCE CENTER
GENERAL INFORMATION ON COOKIES
GENERAL INFORMATION ON COOKIES
When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.
* STRICTLY NECESSARY
STRICTLY NECESSARY
Always Active
Strictly Necessary
Strictly necessary cookies are always enabled since they are essential for
our website to function. They enable core functionality such as security,
network management, and website accessibility. You can set your browser to
block or alert you about these cookies, but this may affect how the website
functions. For more information please visit www.aboutcookies.org or
www.allaboutcookies.org.
Cookie Details
* PERFORMANCE
PERFORMANCE
Performance
Performance cookies are used to analyze the user experience to improve our
website by collecting and reporting information on how you use it. They allow
us to know which pages are the most and least popular, see how visitors move
around the site, optimize our website and make it easier to navigate.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* FUNCTIONAL
FUNCTIONAL
Functional
Functional cookies help us keep track of your past browsing choices so we can
improve usability and customize your experience. These cookies enable the
website to remember your preferred settings, language preferences, location
and other customizable elements such as font or text size. If you do not
allow these cookies, then some or all of these services may not function
properly.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* ADVERTISING
ADVERTISING
Advertising
Advertising cookies are used to send you relevant advertising and promotional
information. They may be set through our site by third parties to build a
profile of your interests and show you relevant advertisements on other
sites. These cookies do not directly store personal information, but their
function is based on uniquely identifying your browser and internet device.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* SOCIAL MEDIA
SOCIAL MEDIA
Social Media
Social media cookies are intended to facilitate the sharing of content and to
improve the user experience. These cookies can sometimes track your
activities. We do not control social media cookies and they do not allow us
to gain access to your social media accounts. Please refer to the relevant
social media platform’s privacy policies for more information.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
View Third Party Cookies
* Name
cookie name
Clear Filters
Information storage and access
Apply
Confirm My Choices Allow All
Products and Accounts
Knowledge
Communities
Support
Learning
Register Login
SearchLoading
My Subscriptions
See What’s New
What’s new in VMware Customer Connect Knowledgebase
Product Downloads
Product downloads are now searchable in KB search
Search Improvements
Search results have been enhanced with clickable product links to help with
filtering
Customer Connect Rebranding
KB articles referring to the former MyVMware portal have been updated to reflect
the redesigned and rebranded Customer Connect Portal
Subscription Improvements
Subscriptions page has been updated to make it easier to subscribe to KB
articles based on products, categories and language in a more streamlined UI
GOT IT
Loading
Knowledge Base
MITIGATION AND THREAT HUNTING GUIDANCE FOR UNSIGNED VSPHERE INSTALLATION BUNDLES
(VIBS) IN ESXI (89619)
--------------------------------------------------------------------------------
Last Updated: 9/29/2022Categories: SecurityTotal Views: 20823 thumbs-up-line
7Language: English subscribe
SYMPTOMS
Details
On Thursday September 29th, Mandiant published information on malware they
discovered in the wild that leverages unsigned VIBs to install backdoors on a
compromised ESXi host. It should be noted that a malicious actor must first
obtain administrative privileges (root) on an ESXi host prior to installing a
malicious VIB. Also, Mandiant found no evidence that a vulnerability in a VMware
product was exploited to gain access to ESXi during their investigations.
For information on operational security best practices, Mandiant’s findings, and
general information about this disclosure please review our article entitled
Protecting vSphere From Specialized Malware.
This KB Article will focus on mitigation and threat hunting instructions for
unsigned VIBs.
RESOLUTION
Mitigation
In addition to implementing various operational security best practices
mentioned in Protecting vSphere From Specialized Malware to prevent a potential
compromise in the first place, VMware recommends enablement of the Secureboot
feature in ESXi to mitigate the risk of malicious actors persisting on a
compromised ESXi host via malicious VIB installation. Secure boot was designed
to disallow installation of unsigned VIBs on an ESXi host. In addition, secure
boot disallows the --force flag which would normally allow an administrator to
bypass acceptance level settings on the ESXi host.
To enable Secureboot perform the following steps:
Please contact your hardware vendor for steps on how to enable UEFI / Secureboot
for your system.
Enabling Secureboot on ESXi: UEFI Secure Boot for ESXi Hosts (vmware.com)
* Run the Secure boot validation script:
/usr/lib/vmware/secureboot/bin/secureBoot.py -c
- If 7.0 u2 or later and the host has a TPM, please see the following
document: Enable or Disable the Secure Boot Enforcement for a Secure ESXi
Configuration (vmware.com)
Threat Hunting
Concerned customers can perform the following instructions in order to audit
their ESXi host(s) for unsigned VIBs.
Download the following PowerCLI script Verify_ESXi_VIB_Signature.ps1 (attached
to this KB) and run against your vCenter using the SSO admin credentials..
-Requirements:
PowerCLI installed (Install PowerCLI (vmware.com)
443 access to vCenter where the script is running from
Set the PowerShell Execution Policy to unsigned:Set the PowerShell Execution
Policy to RemoteSigned (vmware.com)
What to look for in the results:
Example:
Overall Status = Good: This host has no unsigned VIBs.
Overall Status = Not Good: Unsigned VIBs were detected on the host.
Note: 6.5 has a known issue which will show an unsigned VIB on the ESXi base.
Please see the following KB:Unable to enable Secure Boot in ESXi 6.x (79790)
(vmware.com)
Note: CommunitySupported VIBs are not signed. CommuitySupported VIB’s require an
ESXi host to be set to CommunitySupported acceptance level, which is not
recommended.
What should I do if I find unsigned VIBs in my environment?
VMware does not recommend using unsigned VIBs but their presence does not
definitively prove that an ESXi host has been compromised. VMware recommends
that organizations attempt to determine the origin of any unsigned VIB(s) that
are found on their ESXi hosts as it is possible that a trusted administrator may
have intentionally installed the unsigned VIB(s) for a legitimate purpose.
However, organizations who suspect a compromise may have occurred should follow
their established incident response processes. For organizations who do not have
an in-house Incident Response team, VMware provides a list of trusted partners
who offer incident response services, please see:
https://www.vmware.com/partners/work-with-partners/incident-response-and-managed-security-service-providers.html
RELATED INFORMATION
* Please follow KB Unable to enable Secure Boot in ESXi 6.x if esx-base VIB
verification is failing with error "Failed to verify checksum for payload
btldr: Not found"
* Secure boot feature will verify the VIBs during the boot and will trigger a
PSOD with following error if any Unsigned VIB is installed on the ESXi host.
UEFI Secure Boot failed:
Failed to verify signatures of the following vibs (XX)
Detectable by VMware SkylineTM
ACTIONS
Copy To Clipboard Copy link to clipboard copied!
Print Print
Language Language: English
ATTACHMENTS
* KB89619_Verify_Unsigned_VIBs_on_ESXi_(ver_1.2)
Additional Resources
KB • Downloading and licensing vSphere Hypervisor (ESXi 6.x & 7.x) (2107518)
Result 1 of 1
Ask The Community
Get answers quickly from VMware experts in the community
Post Subject
CONTINUE IN COMMUNITIES
Clear
SearchLoading
RELATED PRODUCTS:
* VMware vSphere
* VMware vSphere
* ESXi
RELATED VERSIONS:
* Take Our Survey
*
*
*
*
* Copyright © 2022 VMware, Inc. All rights reserved.
* Terms of Use
* Your California Privacy Rights
* Privacy
* Accessibility
* Cookie Settings
Loading