The system must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.

From VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide

Part of SRG-APP-000516

Associated with: CCI-000366

SV-78477r1_rule The system must disable the managed object browser at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.

Vulnerability discussion

The managed object browser provides a way to explore the object model used by the vCenter to manage the vSphere environment; it enables configurations to be changed as well. This interface is used primarily for debugging, and might potentially be used to perform malicious configuration changes or actions.

Check content

The Managed Object Browser (MOB) was designed to be used by SDK developers to assist in the development, programming, and debugging of objects. It is an inventory object, full-access interface, allowing attackers to determine the inventory path of an infrastructure's managed entities. Check the operational status of the MOB: Determine the location of the vpxd.cfg file on the vCenter Server's Windows OS host. Edit the file and locate the ... element. Ensure the following element is set. false If the MOB is currently enabled, ask the SA if it is being used for object maintenance. If the enableDebugBrowse element is enabled (set to true), and object maintenance is not being performed, this is a finding. If the enableDebugBrowse element is enabled (set to true), and object maintenance is being performed, this is not a finding.

Fix text

If the datastore browser is enabled and required for object maintenance, no fix is immediately required. Disable the managed object browser: Determine the location of the vpxd.cfg file on the Windows host. Edit the file and locate the ... element. Ensure the following element is set. false Restart the vCenter Service to ensure the configuration file change(s) are in effect.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer