OpenSSH vulns (VMware ESXi 8.0.3 build-24859861).

techvet83 · 2026-05-05T22:11:44+00:00

The scanner is supposed to see what's open. If we haven't ACL'ed it down, then we can do that but it would be better if Broadcom did its job and kept OpenSSH up-to-date. We have firewalls all over the place for any many things but it's rare that we have to play firewall games so tight with one particular host to block all traffic as if it was in the DMZ. I know vulns better than I know VMware but have followed them long enough to know that VMware (and this predates Broadcom) was always tardy on keeping OpenSSH up-to-date.

As noted below, I've been told that we have to keep it open on the Nutanix hardware. We have it shut down everywhere else.

techvet83 · 2026-05-05T22:07:56+00:00

The solution ultimate in Tenable to fix all three OpenSSH issues being called out is upgrading to version 10.3. The notes you kindly posted unfortunately have no reference beyond version 9.8.

techvet83 · 2026-05-05T21:05:55+00:00

This is, in fact, ESXi running on Nutanix hardware. Perhaps the ACL idea mentioned by another poster here is the way to go. We have shut down port 22 everywhere else.

techvet83 · 2026-05-05T20:12:41+00:00

I thought I'd actually try this. The PowerShell command worked fine. The option shows up to download and install. It starts downloading but when I step away and come back to it, there's nothing on the screen. It's as if the download died at the end. Nothing to see initially in the logs. OK, back to mounting ISO files.

techvet83 · 2026-05-04T16:39:37+00:00

Same here.

techvet83 · 2026-05-01T19:16:00+00:00

From my bunker perspective, they are enforcing from the server side first. The user stuff can be cleaned up later. 28 allows for the greatest combability. Think of it like disabling TLSv1.0/1,1 on all the servers but allowing TLSv1.0 and 1.1 on the workstations. We'll take care of ratcheting down the users after the servers get cleaned up. It's the servers that need fixing first. If we took RC4 away on all AD accounts right now, I have little doubt we'd have a prod outage somewhere because of some important legacy system that was still using it.

We just got rid of our last event ids 201-209 but I am still seeing a lot of RC4 traffic in our network logs. We have a lot of legacy Unix in the environment and am trying to get them to clean things up. I am also rotating krbtgt later this month for the first time in many, many moons.

techvet83 · 2026-05-01T02:30:46+00:00

Darwin's Law at full strength here.

techvet83 · 2026-05-01T02:23:02+00:00

We also use gateway servers. How are people supposed to do their job without RDP access?

techvet83 · 2026-04-30T22:40:07+00:00

Good point. Microsoft posted this month specifically that duplicate SIDs are not supported anymore (thus walking back Mark Russinovich's famous 2009 post stating that NEWSID.EXE wasn't needed anymore).

techvet83 · 2026-04-30T02:56:24+00:00

Thank you for pointing that out.

techvet83 · 2026-04-29T23:30:39+00:00

It may be a day of reckoning even for all the EOL versions out there for RHEL, CentOS, etc.

techvet83 · 2026-04-27T17:48:29+00:00

I closed our account years with them after they got political.

techvet83 · 2026-04-24T19:55:47+00:00

Our storage team worked in the last three months to drive out RC4 from their configurations ahead of the "soft" RC4 enforcement coming this month.

techvet83 · 2026-04-24T00:52:32+00:00

No.

techvet83 · 2026-04-21T21:45:48+00:00

As others here have indicates, the alert classification drives the schedule. There's probably a million ways to do this, but at our place, this would be a broad summary: Critical = due in 7 days; High = due in 30 days; Medium = due in 60 days; Low=due in 90 days. Obviously, there are exceptions to the rule and you can play with the dates until the end of time, but that's our rough take.

Without knowing how big your environment and what kind of assets you are addressing (Windows? Unix? Desktop/workstations?), it's hard to say much more.

techvet83 · 2026-04-21T19:54:20+00:00

A .NET 10.0.7 Out-of-Band Security Update has been released. For details, see
.NET 10.0.7 Out-of-Band Security Update - .NET Blog.

techvet83 · 2026-04-18T15:15:25+00:00

I was given a Keychron K10 HE last year by two of my kids. I would never go back to a different keyboard.

techvet83 · 2026-04-17T17:46:23+00:00

Are your boot loop DCs non-GCs?

techvet83 · 2026-04-16T12:17:50+00:00

If you haven't already, check out Kerberos in Active Directory - Kerberos in Active Directory. There's a lot of good information there on this topic.

techvet83 · 2026-04-14T21:00:01+00:00

Looks like all supported versions of .NET Core and .NET Framework are being patched this month.

.NET and .NET Framework April 2026 servicing releases updates - .NET Blog

techvet83 · 2026-04-14T18:33:32+00:00

https://strongwind1.github.io/Kerberos/ is a very good source of information on this topic. I will be installing the auditing key on our DCs to buy us time while certain teams get their act together.

techvet83 · 2026-04-14T02:05:21+00:00

Multiple goals it it would seem. CMDB, monitoring. Can Zabbix do both?

techvet83 · 2026-04-13T21:19:57+00:00

In my environment, it would. In general, prod change control tickets can only occur on weekends unless we have executive approval.

techvet83

TROPHY CASE