ESXi detect build number with "n"

eMoon · September 16, 2020, 8:56am

I scanned my ESXi 6.0.0 build 5572656, VMware ESX(i) Detection (HTTP) report show a correct build number, but follow vulnerability report show a result with build number like “n”:

VMSA-2017-0006: VMware ESXi updates address critical and moderate security issues (remote check)
VMSA-2016-0002: VMware product updates address a critical glibc security vulnerability (remote check)
VMSA-2016-0001 VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability (remote check)
VMSA-2016-0010 (CVE-2016-5331) ESXi: VMware product updates address multiple important security issues (remote check)
VMSA-2016-003: VMware ESXi updates address a cross-site scripting issue (remote check)

cfi · September 21, 2020, 2:16pm

Thanks for your report.

There was indeed a problem with the build extraction for ESXi. This has been fixed today and the changes should arrive in the feeds in the next couple of days.

eMoon · September 24, 2020, 3:59am

Thanks, I updated and rescaned, the detected build number is 2494585 now, it’s still incorrect

cfi · September 24, 2020, 6:03pm

This looks like expected. The build number is provided by ESXi via the queried API endpoint, you can check that by having a look at the “Concluded from version/product identification result:” output of the following VT:

Name: VMware ESX(i) Detection (HTTP)
OID: 1.3.6.1.4.1.25623.1.0.103418

eMoon · September 25, 2020, 5:14am

VMware ESX(i) Detection (HTTP) result is correct, same as before:
Detected VMware ESXi
Version: 6.0.0
Build: 5572656
Location: /
CPE: cpe:/o:vmware:esxi:6.0.0

cfi · September 25, 2020, 5:24pm

If the HTTP Detection-VT is showing the correct build then i don’t see any way how the Vulnerability-VT can show a different build. If we’re checking the gb_vmware_esx_web_detect.nasl VT we can see the following around line 127:

      replace_kb_item(name:"VMware/ESX/build", value:_build[1]);
      build = _build[1];

and the build variable is later used for the reporting in the Detection-VT in line 159:

                                         build:build,

as well as in the Vulnerability-VT like e.g. 2017/gb_VMSA-2017-0006_remote.nasl for the reporting:

if( ! esxBuild = get_kb_item( "VMware/ESX/build" ) ) exit( 0 );

The only real explanation for a discrepancy in the build between the HTTP Detection-VT and the Vulnerability-VT could be that the Detection is happening via SNMP (in addition to the Detection via HTTP) with the following VT and ESXi is reporting a wrong / older build number via SNMP:

Name: VMware ESX detection (SNMP)
OID: 1.3.6.1.4.1.25623.1.0.103418

If this is really the case then i don’t think that there is much what can be done about that if the ESXi is reporting a wrong / outdated build via SNMP.

eMoon · September 25, 2020, 5:50pm

VMware ESX(i) Detection (HTTP) result is correct from the beginning, and the Vulnerability result changed from “n” when I updated.
I cann’t find any build number from other Detection-VT, and SNMP service is stopped.
But I started SNMP service and rescanned, and a few server passed Vulnerability-VT.
That’s weird.

cfi · September 26, 2020, 9:17am

Yes, that is indeed very wired and (unfortunately) i don’t have any explanation for this.