Guideline ID : ESXi.remove-revoked-certificates

Vulnerability Discussion : By default, each ESXi host does not have CRL checking available. Revoked certificates must be checked and removed manually. These are typically custom generated certificates from a corporate certificate authority or 3rd party authority.

Risk Profile : 1, 23

Description : Leaving expired or revoked certificates or leaving vCenter Server installation logs for failed installation on your vCenter Server system can compromise your environment.

Removing expired or revoked certificates is required for the following reasons.

  • If expired or revoked certificates are not removed from the vCenter Server system, the environment can be subject to a MiTM attack

  • In certain cases, a log file that contains the database password in plain text is created on the system if vCenter Server installation fails. An attacker who breaks into the vCenter Server system, might gain access to this password and, at the same time, access to the vCenter Server database.

Leave a reply