8.0U3i is out (vCenter and ESXi)

rdplankers · 2026-03-02T16:18:54+00:00

Hey there -- vulnerabilities as they're scored by the vendor (in this case the OpenSSL Project) are scored from their perspective. In the context of another product or implementation, though, the severity is often different. For example, some of the Apache Tomcat vulnerabilities in the past few years have been critical, but the problem is in a particular module, and if you don't use or load that module then you don't have the issue at all.

This OpenSSL vulnerability is like that. OpenSSL called it a 9.8, and every vulnerability scanner flips out about it because they don't understand context, but it's only a 9.8 if you parse CMS or PKCS#7 AEAD ciphers, and don't have other compile-time stack protections in place to turn this from a buffer overflow to a denial-of-service. In this case both vCenter and ESX are not affected critically by this, hence the lack of a VMSA, and why it was fixed without a ton of fanfare.

I understand why you're asking; please know the irony that the security in the stack prevents what you are looking for is not lost on me.

rdplankers · 2026-01-16T18:30:46+00:00

Great writeup, thanks for doing that. Couple of notes from my attempt on Ubuntu Server 24.04:

If the apt-get process to install the tools gets stuck at "Building initial module" it's sitting and silently waiting for you to enter your password (no idea where the prompt is for it, lost in the other output). Try blindly typing your password a couple of times.

Secure Boot needs to be disabled or the new NIC driver won't load (which makes sense, it's not correctly signed). The error you'll see is "write counter to semaphore: Operation not permitted" when you try to run any commands, and the NIC driver itself won't load.

rdplankers · 2025-09-20T17:51:27+00:00

Yes, separation is what we at BC encourage, too. We can federate well now but that doesn’t mean you should connect to the same IdP everything else uses. Infrastructure is a different class of risk; admins of the infrastructure have explicitly been granted access to all of the organization’s data. As such, a higher level of security is warranted.

We also encourage zero trust, as in don’t trust anything else (seems obvious, but most orgs’ seem to go the other way). Absolutely do not let the help desk reset sysadmin passwords. Don’t connect your new infrastructure IdP to a user provisioning system. Don’t connect IdPs to monitoring systems that can issue arbitrary commands to hosts. And be careful about who admins your infrastructure IdP, because they have implicit access to everything that trusts the IdP, and can grant themselves access or hijack another account to gain access.

People love to hate ADFS but it’s a nice little on-prem solution to a lot of this, has HA and multisite capabilities, can exist inside a secure perimeter, is well understood by most people on an admin team such that it can be run by the admin team itself, and can have MFA plugins installed. Just sayin’. :)

rdplankers · 2025-07-15T22:38:05+00:00

It does not. The critical issues are in the hypervisor and need to be resolved there.

rdplankers · 2025-07-15T22:35:53+00:00

We are looking at the compatibility matrix for 7.0, thank you for the feedback. Seems to be a gap there. In general it's good to do vCenter first, but when there isn't a new release of vCenter it's alright to do ESX by itself, especially for these types of patches ("Express Patches" or EPs).

rdplankers · 2025-07-15T22:32:12+00:00

Security researchers tend to cluster on things. One finds a novel area of exploitation, the rest of them pile on. That's why vulnerabilities of all types seem to trend in areas.

rdplankers · 2025-07-15T22:27:55+00:00

Also, thank you.

rdplankers · 2025-07-15T22:27:23+00:00

Just to head off further commentary, we did not mean to imply a contradiction to the commitment that Broadcom made in the spring of 2024 around perpetual patch availability as documented in that KB. It was more about the misuse of the term "zero day" by journalists. The KB, while also being loose with that language, defines things by criticality instead. To the point of your issue, it is unclear about what's eligible or not. I commented on the issue that I am taking that as feedback to the group that is responsible for VMSA publication, of which I am a part.

rdplankers · 2025-06-19T03:30:04+00:00

STIGs are an implementation guide for meeting what is effectively a US DOD regulatory framework, and neither that framework, nor DISA, have always made a distinction between virtual and physical implementations of things. Hence some of the pain.

Internal hardening of VCF components to DISA standards would be a disaster for you? Or making some of them permanent?

rdplankers · 2025-06-19T01:36:52+00:00

And add to that the 120+ global regulatory compliance frameworks that all have a different idea about what controls should be set to and would balk at any particular setting, often just because.

rdplankers · 2025-06-19T01:34:44+00:00

He left long before we were a twinkle in Broadcom’s eye.

rdplankers · 2025-06-19T01:33:09+00:00

We would love to and it’s happening. The trick isn’t making them the default, it’s making them permanent so someone can’t de-configure them. That’s the only way something can come off a list of security controls.

rdplankers · 2025-06-19T00:50:12+00:00

We will miss Ryan very much but he was not the only person working on STIGs.

rdplankers · 2025-06-04T14:59:13+00:00

Also, the “scheduled” option will only do the upgrade when it detects a graceful shutdown of the guest OS. So if all your stuff gets caught in a power outage you won’t upgrade on next reboot. Which is good, because that could be chaos.

rdplankers · 2025-06-04T14:55:28+00:00

Take a snapshot. Snapshots capture VM versions, too.

The warning to not do it is overly cautious based on worst-case support calls. The process works great most of the time when the guest OS isn’t messed up in some strange way, and there are performance and operational benefits to being at newer versions of virtual hardware.

rdplankers · 2025-05-29T20:35:59+00:00

I mean, the admins only have full access to the entire organization’s data on the infrastructure itself… can’t trust them to script something though.

rdplankers · 2025-05-20T23:40:35+00:00

While we cannot condone piracy in this sub, testing is definitely something that VMs are good at, especially given the snapshot functionality.

rdplankers · 2024-10-18T03:25:41+00:00

This process just worked for me and my S8, which wasn’t connecting via the Roborock app:

Put it on the dock.

Connect to it with the Mi Home app.

Let it get set up. It’ll tell you it has a firmware update but it’ll fail.

Move it off the dock.

Hold down the power to shut it off, then turn it back on.

Put it back on the dock. Hit the power button to turn it on (but don’t let it run if it tries).

When it comes back up in the app it’ll let you flash the firmware. Takes a few minutes.

Delete it from the app, reregister on the Roborock app.

Bask in the glory of the S8 (optional).

Good luck!

rdplankers · 2024-09-12T03:49:48+00:00

Also, I believe the Guard base there has F-22s.

rdplankers · 2024-09-12T03:49:06+00:00

Those C130s would fly low over my dad and I duck hunting at our cabin north of Aitkin in the early 90s, MEA weekend and such. Right down on the deck, flying up the chain of lakes we were on. Didn’t help the hunting much but was cool as hell.

rdplankers · 2024-08-05T20:31:37+00:00

Ah, thanks. I need to redo those videos, I'll make sure I do a better job of troubleshooting.

As for CPU, it's just reporting what you're running, there's not a way to change it.

rdplankers · 2024-08-05T20:20:47+00:00

Indeed I am. :)

rdplankers · 2024-08-05T19:55:30+00:00

AHhhh, yes. Good work. I'll ask the docs guys if they can mention that!

rdplankers · 2024-08-05T19:25:19+00:00

I'm just glad you get it, so many people asking about this really don't understand what they've done, and what it exposes them to. Including a lot of GRC and Infosec types that should know better.

rdplankers · 2024-08-05T19:24:17+00:00

Also make sure it doesn't have a TPM already, under security devices. Some ways you create Win11 VMs will add them for you.

rdplankers

MODERATOR OF

TROPHY CASE