Security issue after updating to vCenter 6.0

Share this:

I did a crazy thing last week, I decided to update our vCenter appliance (VCSA) from version 5.5U3a to version 6.0 Update1 3040890. I was surprised how flawlessly it went. It was finished in couple of hours, “almost” everything was working as expected, so big success 🙂

Until users started to report some permissions problems – example those who had rights only to power on VMs, couldn’t do it using WebClient with “File not found” error and so on. This wasn’t actually so big concern till I tried another thing.

I had to patch one ESXi using update manager and noticed that it is actually working and it shouldn’t. Update manager was using LocalOs account which wasn’t actually existing in the new VCSA 6.0 anymore so I started digging.

I removed permissions for my personal account and I was still able to login and do all administrators tasks. Obviously I removed it at all levels including Global Permissions. My account wasn’t showing in any GUIs, either WebClient or vSphere Client.

This is in my opinion huge security flaw as you cannot effectively revoke access for users which had it in the old vcenter 5.5.

I found kb2123931 regarding permissions in vCenter 6.0. I have tried to find my account in both new locations cis_kv_keyvalue also Lotus, but it wasn’t there.

KB is also saying VPX_Access table is not used anymore however, when I tried to select from it. I could find the all old users and their permissions including mine.

So I decided to truncate (clear) vpx_access table to see if it helps – it wasn’t supposed to be used anyway :). And it did help and looks like it was used!

After I restarted vcenter services I was finally getting “no permissions” error. And I wasn’t able to login under mine account anymore. Permissions for the others worked fine and were intact as they should be.

Steps to clear old permissions:

Take snapshot of your vCenter appliance

Follow kb2123931  until step 6 to enter into Postgres shell.

to see records in the old table enter:

select * from vpx_access;

to delete records (not table)

truncate vpx_access;

restart vcenter services as instructed in kb:

service-control --stop --all

service-control --start --all

 

another error which it fixed for my account was error when trying to search using vSphere Client:

searcherror

Unable to connect to web services to execute query. Verify that the ‘VMware VirtualCenter Management Webservices’ service is running on https://vcenter:443/invsvc”

The following two tabs change content below.
Dusan has over 8 years experience in the Virtualization field. Currently working as Senior VMware plarform Architect at one of the biggest retail bank in Slovakia. He has background in closely related technologies including server operating systems, networking and storage. Used to be a member of VMware Center of Excellence at IBM, co-author of several Redpapers. His main scope of work consists from designing and performance optimization of business critical virtualized solutions on vSphere, including, but not limited to Oracle WebLogic, MSSQL and others. He holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, MCITP and the others. Honored with #vExpert2015-2018 awards by VMware for his contribution to the community. Opinions are my own!

About Dusan Tekeljak

Dusan has over 8 years experience in the Virtualization field. Currently working as Senior VMware plarform Architect at one of the biggest retail bank in Slovakia. He has background in closely related technologies including server operating systems, networking and storage. Used to be a member of VMware Center of Excellence at IBM, co-author of several Redpapers. His main scope of work consists from designing and performance optimization of business critical virtualized solutions on vSphere, including, but not limited to Oracle WebLogic, MSSQL and others. He holds several IT industry leading certifications like VCAP-DCD, VCAP-DCA, MCITP and the others. Honored with #vExpert2015-2018 awards by VMware for his contribution to the community. Opinions are my own!
Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.