VMWare vCenter Integrations Functionality Changes

Summary

We will be releasing changes to the functionality of the VMWare vCenter Integrations, this document will describe those changes. These changes do not affect the discovery and reporting of VMware Security Advisories.

Vulnerability Management

There will be no changes to the discovery and vulnerability assessment functionality of the for vCenter and ESXi. Tenable is able to collect required versions unauthenticated using vmware_vsphere_detect.nbin (57396) and vmware_vcenter_detect.nbin (63061). These checks can be found in the VMware ESX Local Security Checks plugin family and require no authentication via the integration.

vCenter Integration Informational VIBs and Host data

With authentication via the VMWare vCenter Integrations we are able to collect vCenter Installation Bundle (VIB) data, this is a full package list of all installed packages on each ESXi host managed by vCenter. Prior to the upcoming changes VMware vCenter integration collects data from both the REST and SOAP API endpoints. Once the changes get released this functionality will be split into two different collections methods in separate plugins.

• Plugin 63062, vmware_vcenter_collect.nbin will be used to collect VIB and Host data from the REST API. This will work against vCenter versions 7.0.3 and later.
• Plugin 180178, vmware_vcenter_collect_legacy.nbin will be used to collect DIB and Host data from the SOAP API. This will work against vCenter versions 6.x and earlier. We will no longer support new features or patches to this plugin going forward but intend to leave it enabled for those that would like to use it against end of life targets.

The integration will supply a list of all active and inactive VMs discovered on each ESXi host in the following plugins vmware_vcenter_active_vms.nbin, vmware_vcenter_inactive_vms.nbin, vmware_active_vms.nbin and vmware_inactive_vms.nbin.

vCenter Integration Auto Discovery

Auto Discovery of ESXi host and virtual machines is a feature that allows Tenable to find and add targets to the scan that were not targeted during Scan Policy creation. This saves time from having to know all the targets ahead of time when scanning vCenter servers.

As part of the upcoming changes we have moved this feature into a new plugin vmware_vcenter_auto_discovery.nbin (180179). This feature requires vCenter Integration authentication against VMWare vCenter version 7.0.3 and later with the REST API enabled. The UI has two options for selecting either ESXi hosts or virtual machines to be discovered and added to the scan.

Audit and Compliance

Nessus has the ability to scan ESXi and vCenter servers, with CIS, DISA and best practice audits. These compliance checks are done with vmware_compliance_check.nbin and the functionality of these will not be impacted by the other changes made to the vCenter integration.

Impacted Plugins

Tenable Plugin Name (Plugin ID) : Supported VMware Versions

• vmware_vcenter_collect.nbin (63062) : 7.0.3+, 8.0+
• vmware_vcenter_collect_legacy.nbin (180178) : 6.x
• vmware_vcenter_auto_discovery.nbin (180179) : 7.0.3+, 8.0+
• vmware_vsphere_detect.nasl (57396) : 5.x, 6.x, 7.x, 8.x 
• vmware_vcenter_detect.nasl (63061) : 5.x, 6.x, 7.x, 8.x 
• vmware_vcenter_active_vms.nbin (84340) : 5.x, 6.x, 7.0.3+, 8.x
• vmware_vcenter_inactive_vms.nbin (84341) : 5.x, 6.x, 7.0.3+, 8.x
• vmware_vcenter_installed_vibs.nbin (154017) : 5.x, 6.x, 7.0.3+, 8.x
• vmware_installed_vibs.nbin (57400) : 6.x
• vmware_active_vms.nbin (57397) : 6.x
• vmware_inactive_vms.nbin (57398) : 6.x
• vmware_compliance_check.nbin (64455) : 6.x, 7.x

Documentation Updates

In addition to these changes all documentation related to the VMware vCenter integrations will be updated accordingly to reflect these changes.

Target Release Date

Monday September 11, 2023