{ "authors": [ { "email": "rules@neuralwall.io", "name": "NeuralWall Rules Team", "org": "NeuralWall" } ], "description": { "en": "This profile covers the network flows of the vCenter Server Appliance (VCSA) from\nBroadcom, deployed to centrally manage a pool of ESXi hosts in a VMware vSphere\ninfrastructure. The VCSA exposes the vSphere Client (HTTPS 443) and REST API/SDK\nto administrators, as well as the VAMI (vCenter Appliance Management Interface,\nport 5480) for appliance system administration. It drives ESXi hosts via a\nbidirectional management channel vpxd↔vpxa (TCP/UDP 902, TCP 443). Conditional\nservices cover: ESXi host network provisioning via Auto Deploy (6501/6502,\nTFTP/iPXE 69), vSphere Lifecycle Manager (vLCM) host lifecycle management\n(ports 9087/9084/8084/8083), vSphere Replication (8043), Active Directory\nintegration (Kerberos 88, LDAP 389/636, Kerberos password change 464), SNMP\nmonitoring, and syslog log collection. An outbound flow to dl.broadcom.com enables\nsecure update downloads (authenticated repository, support account token). The\nlegacy clear-text ESXi management protocol is blocked as a hardening measure.\n", "fr": "Cette fiche couvre les flux réseau de l'appliance vCenter Server Appliance (VCSA)\nde Broadcom, déployée en gestion centralisée d'un parc d'hôtes ESXi dans une\ninfrastructure VMware vSphere. La VCSA expose le vSphere Client (HTTPS 443) et\nl'API REST/SDK aux administrateurs, ainsi que l'interface VAMI (vCenter Appliance\nManagement Interface, port 5480) pour l'administration système de l'appliance.\nElle pilote les hôtes ESXi via un canal de gestion bidirectionnel vpxd↔vpxa\n(TCP/UDP 902, TCP 443). Des services conditionnels couvrent : le provisioning\nréseau Auto Deploy des hôtes ESXi (6501/6502, TFTP/iPXE 69), la gestion du cycle\nde vie vSphere Lifecycle Manager (vLCM, ports 9087/9084/8084/8083), vSphere\nReplication (8043), l'intégration Active Directory (Kerberos 88, LDAP 389/636,\nKerberos changement de mot de passe 464), la supervision SNMP et la collecte de\nlogs syslog. Un flux sortant vers dl.broadcom.com permet le téléchargement\nsécurisé des mises à jour (dépôt authentifié, token compte support). Le protocole\nde gestion ESXi en clair hérité est bloqué en durcissement.\n" }, "id": "broadcom_vcenter_server", "mitre_attack": [ { "name": "Exploit Public-Facing Application", "tactic": "initial-access", "technique_id": "T1190" }, { "name": "Exploitation of Remote Services", "tactic": "lateral-movement", "technique_id": "T1210" }, { "name": "Compromise Software Supply Chain", "tactic": "initial-access", "technique_id": "T1195.002" }, { "name": "Valid Accounts", "tactic": "defense-evasion", "technique_id": "T1078" }, { "name": "External Remote Services", "tactic": "initial-access", "technique_id": "T1133" } ], "publisher": { "name": "Broadcom", "verified": false }, "references": [ { "endpoints": [ "dl.broadcom.com", "vcsa.vmware.com" ], "product": "vCenter Server 9.0", "retrieved": "2026-06-18", "title": "Required Ports for vCenter Server", "url": "https://ports.broadcom.com", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 431697 — Configuring SSL inspection exclusion for update repository", "url": "https://knowledge.broadcom.com/external/article?legacyId=431697", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 390098 — Migration des dépôts de mises à jour (depot/hostupdate/vapp-updates.vmware.com retirés)", "url": "https://knowledge.broadcom.com/external/article?legacyId=390098", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 320264 — Ports utilisés par vSphere Lifecycle Manager", "url": "https://knowledge.broadcom.com/external/article?legacyId=320264", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 326184 — Ports requis vCenter Server (toutes versions)", "url": "https://knowledge.broadcom.com/external/article?legacyId=326184", "vendor": "Broadcom" }, { "product": "vCenter Server", "retrieved": "2026-06-18", "title": "KB 313945 — Configuration NTP sur l'appliance de gestion", "url": "https://knowledge.broadcom.com/external/article?legacyId=313945", "vendor": "Broadcom" } ], "rules": [ { "action": "allow", "application": { "app_id": "virtualization_mgmt_web", "category": "infrastructure", "default_ports": [ "tcp/443" ], "depends_on": [ "dns" ], "risk": 5 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "inbound", "identity": { "device_posture": "compliant", "user_group": [ "virtualization_admins", "infrastructure_admins" ] }, "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "This rule allows vSphere administrators (compliant devices, restricted vCenter SSO\ngroups) and automation tools (PowerCLI, Terraform vSphere, Ansible VMware) to reach\nthe VCSA over HTTPS port 443 (vSphere Client HTML5 and REST API/SDK). Since the VCSA\nis a controlled internal server, ssl_inbound_inspection decrypts inbound traffic to\ndetect exploits targeting vCenter Server (T1190 — many historical critical CVEs:\nCVE-2021-21985, CVE-2021-22005, CVE-2023-34048, etc.) and malicious uploaded files.\nIdentity is restricted by vCenter SSO group (least privilege). Risk is critical\n(risk 5): compromising the VCSA enables pivoting to all ESXi hosts via vpxd↔vpxa\n(T1210). This rule also covers the redirect from HTTP port 80 (see rule 3).\n", "fr": "Cette règle autorise les administrateurs vSphere (postes conformes, groupes SSO\nvCenter restreints) et les outils d'automatisation (PowerCLI, Terraform vSphere,\nAnsible VMware) à atteindre la VCSA en HTTPS sur le port 443 (vSphere Client\nHTML5 et API REST/SDK). La VCSA étant un serveur interne contrôlé,\nssl_inbound_inspection déchiffre le trafic entrant pour détecter les exploits\nvisant vCenter Server (T1190 — nombreuses CVE critiques historiques : CVE-2021-21985,\nCVE-2021-22005, CVE-2023-34048, etc.) et les uploads malveillants. L'identité est\nrestreinte par groupe SSO vCenter (moindre privilège). Risque critique (risk 5) :\ncompromettre la VCSA permet de pivoter vers l'ensemble des hôtes ESXi via vpxd↔vpxa\n(T1210). Cette règle couvre aussi la redirection depuis le port HTTP 80 (voir règle 3).\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" }, "url_filtering": { "credential_phishing": "block" } }, "service": { "app_default": true, "ports": [ "443" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "trust", "management", "vpn" ] } }, { "action": "allow", "application": { "app_id": "appliance_admin_web", "category": "infrastructure", "default_ports": [ "tcp/5480" ], "depends_on": [ "dns" ], "risk": 5 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "inbound", "identity": { "device_posture": "compliant", "user_group": [ "infrastructure_admins" ] }, "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "The VAMI (vCenter Appliance Management Interface, port 5480) is the only way to\nmanage the VCSA system settings: backup, network configuration, NTP, TLS certificates,\nappliance OS updates, and SSH enable/disable. It is structurally mandatory (without\nit, the VCSA cannot be managed outside the vSphere Client) and distinct from the\nvSphere management interface on port 443. Access is restricted to system administrators\nonly (a narrower directory group than rule 1). ssl_inbound_inspection covers exploits\n(T1190, T1078). Risk is critical (risk 5): VAMI access allows full reconfiguration of\nthe VCSA, including SSH activation and SSO certificate modification.\n", "fr": "La VAMI (vCenter Appliance Management Interface, port 5480) est le seul moyen de\ngérer les paramètres système de la VCSA : sauvegarde, configuration réseau, NTP,\ncertificats TLS, mises à jour OS de l'appliance et activation/désactivation du SSH.\nElle est structurellement obligatoire (sans elle, la VCSA ne peut pas être administrée\nhors du vSphere Client) et distincte de l'interface de gestion vSphere 443.\nL'accès est restreint aux administrateurs système uniquement (groupe d'annuaire plus\nétroit que la règle 1). ssl_inbound_inspection couvre les exploits (T1190, T1078).\nRisque critique (risk 5) : l'accès à la VAMI permet la reconfiguration complète de\nla VCSA, y compris l'activation du SSH et la modification des certificats SSO.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "5480" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "web_browsing", "category": "networking", "default_ports": [ "tcp/80" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_default" }, "rationale": { "en": "The VCSA automatically redirects port 80 to HTTPS 443 (vSphere Client). No\napplication data is transmitted in clear text: the session is immediately\nredirected. IPS in block mode (high severity) detects exploitation attempts\ntargeting the HTTP redirect layer. Decryption is not applicable: the HTTP\nflow is not encrypted and the redirect occurs before any data exchange.\n", "fr": "La VCSA redirige automatiquement le port 80 vers HTTPS 443 (vSphere Client).\nAucune donnée applicative ne transite en clair : la session est immédiatement\nredirigée. L'IPS en mode block (high) détecte les tentatives d'exploitation\nvisant la couche HTTP de redirection. Le déchiffrement est non applicable :\nle flux HTTP n'est pas chiffré et la redirection intervient avant tout échange\nde données.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "high" } }, "service": { "app_default": true, "ports": [ "80" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "trust", "management", "vpn" ] } }, { "action": "allow", "application": { "app_id": "hypervisor_management", "category": "infrastructure", "default_ports": [ "tcp/902", "udp/902", "tcp/443" ], "depends_on": [ "dns" ], "risk": 5 }, "decryption": { "exclusions": [ "cert_pinned_app" ], "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "The VCSA drives ESXi hosts via the bidirectional vpxd↔vpxa channel. TCP port 902\n(ESXi management port) carries data transfer, configuration, and VM console\n(MKS — Mouse/Keyboard/Screen via vSphere Client). TCP port 443 is used by vpxd\nfor vpxa agent management APIs on the ESXi side. The UDP 902 availability heartbeat\nis covered by rule 4b. Decryption is disabled (cert_pinned_app exclusion): ESXi\nhosts present vSphere device certificates and a MITM proxy would break the mutual\nauthentication channel vpxd↔vpxa. IPS detects exploits targeting ESXi management\nservices (T1210). Risk is critical (risk 5): this channel is the main pivot vector\nfrom the VCSA to ESXi hosts.\n", "fr": "La VCSA pilote les hôtes ESXi via le canal bidirectionnel vpxd↔vpxa. Le port\nTCP 902 (port de gestion ESXi) véhicule le transfert de données, la configuration\net la console de machine virtuelle (MKS — Mouse/Keyboard/Screen via vSphere Client).\nLe port TCP 443 est utilisé par vpxd pour les API de gestion des agents vpxa côté\nESXi. Le heartbeat de disponibilité UDP 902 est couvert par la règle 4b. Le\ndéchiffrement est désactivé (exclusion cert_pinned_app) : les hôtes ESXi présentent\ndes certificats d'équipement vSphere et un proxy MITM briserait le canal\nd'authentification mutuelle vpxd↔vpxa. L'IPS détecte les exploits visant les\nservices de gestion ESXi (T1210). Risque critique (risk 5) : ce canal est le\nvecteur principal de pivot depuis la VCSA vers les hôtes ESXi.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "902", "443" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "hypervisor_heartbeat", "category": "infrastructure", "default_ports": [ "udp/902" ], "risk": 3 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "The UDP 902 availability heartbeat between the VCSA (vpxd) and ESXi hosts (vpxa)\nenables rapid detection of unavailable hosts in vSphere. This flow is fundamental\nfor vSphere HA high-availability management and ESXi host health monitoring in\nvCenter. IPS in default mode detects protocol anomalies on this UDP flow without\nblocking legitimate vpxd probes.\n", "fr": "Le heartbeat de disponibilité UDP 902 entre la VCSA (vpxd) et les hôtes ESXi\n(vpxa) permet la détection rapide des hôtes indisponibles dans vSphere. Ce flux\nest fondamental pour la gestion de la haute disponibilité vSphere HA et la\nsurveillance de l'état des hôtes ESXi dans vCenter. L'IPS en mode default détecte\nles anomalies de protocole sur ce flux UDP sans bloquer les sondes vpxd légitimes.\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "902" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "dns", "category": "networking", "default_ports": [ "udp/53", "tcp/53" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "DNS resolution is structurally mandatory for the VCSA: installation fails if A/PTR\nrecords for its FQDN cannot be resolved. In operation, DNS is required to reach\nmanaged ESXi hosts, Active Directory controllers (vCenter SSO integration), and the\ndl.broadcom.com service (vLCM updates). The flow is restricted to a controlled\ninternal resolver (no direct Internet resolution). The dns_security profile with\nsinkhole mitigates DNS tunneling from the VCSA if it were compromised. TCP/53\n(DNSSEC or >512-byte responses) is handled by the same rule if the firewall supports\nmulti-protocol; otherwise duplicate for tcp/53.\n", "fr": "La résolution DNS est structurellement obligatoire pour la VCSA : l'installation\néchoue si les enregistrements A/PTR de son FQDN ne sont pas résolus. En exploitation,\nDNS est requis pour joindre les hôtes ESXi gérés, les contrôleurs Active Directory\n(intégration SSO vCenter), et le service dl.broadcom.com (mises à jour vLCM). Le\nflux est restreint vers un résolveur interne contrôlé (pas de résolution directe\nvers Internet). Le profil dns_security avec sinkhole atténue le tunneling DNS depuis\nla VCSA si elle était compromise. TCP/53 (réponses DNSSEC ou >512 octets) est traité\navec la même règle si le pare-feu supporte multi-protocole ; sinon, dupliquer pour tcp/53.\n" }, "security_profiles": { "dns_security": { "action": "block", "sinkhole": true } }, "service": { "app_default": true, "ports": [ "53" ], "protocol": "udp" }, "zones": { "destination": [ "internal" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "ntp", "category": "networking", "default_ports": [ "udp/123" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if direct NTP synchronisation is configured on the VCSA\n(via VAMI or vcsa-util). The VCSA can synchronise its clock via the ESXi host\nhypervisor (VMware Tools mode), but direct NTP synchronisation is strongly recommended\nin production. NTP is critical for vSphere TLS certificate validity, vCenter\nSSO/Kerberos authentication, event log consistency, and vSphere HA operation\n(master election). IPS in default mode detects NTP protocol anomalies (amplification,\nnon-standard mode).\n", "fr": "CONDITIONNEL — À n'activer QUE si la synchronisation NTP directe est configurée\nsur la VCSA (via la VAMI ou vcsa-util). La VCSA peut synchroniser son horloge via\nl'hyperviseur hôte ESXi (mode VMware Tools), mais la synchronisation NTP directe est\nfortement recommandée en production. NTP est critique pour la validité des certificats\nTLS vSphere, l'authentification SSO/Kerberos vCenter, la cohérence des journaux\nd'événements et le fonctionnement de vSphere HA (élection master). L'IPS en mode\ndefault détecte les anomalies de protocole NTP (amplification, mode hors norme).\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "123" ], "protocol": "udp" }, "zones": { "destination": [ "internal" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "ssh", "category": "remote_access", "default_ports": [ "tcp/22" ], "risk": 4 }, "decryption": { "mode": "ssh_proxy" }, "direction": "inbound", "identity": { "device_posture": "compliant", "user_group": [ "infrastructure_admins" ] }, "logging": { "log_end": true, "log_forwarding": true, "log_start": true, "profile": "siem_high_priority" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the VCSA SSH service has been explicitly activated via\nthe VAMI for a maintenance operation. SSH is disabled by default on the VCSA in\nvSphere 9.0 (Broadcom security best practice) and must be re-disabled after the\noperation. This rule should be activated with a time-limited policy (maintenance\nwindow). The ssh_proxy decryption mode allows inspection of commands executed over\nthe SSH tunnel (detection of exfiltration or suspicious commands on the VCSA root\nshell). Access is restricted to compliant management hosts and the narrowest\nadministration group (T1133). log_start is enabled to trace every SSH session opening.\n", "fr": "CONDITIONNEL — À n'activer QUE si le service SSH de la VCSA a été explicitement\nactivé via la VAMI pour une opération de maintenance. Le SSH est désactivé par\ndéfaut sur la VCSA dans vSphere 9.0 (bonne pratique de sécurité Broadcom) et doit\nêtre re-désactivé après intervention. Cette règle doit être activée avec une politique\nde durée limitée (fenêtre de maintenance). Le déchiffrement ssh_proxy permet d'inspecter\nles commandes exécutées via le tunnel SSH (détection d'exfiltration ou de commandes\nsuspectes sur le shell root VCSA). L'accès est restreint aux hôtes de gestion conformes\net au groupe d'administration le plus étroit (T1133). log_start est activé pour tracer\ntoute ouverture de session SSH.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "22" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "network_boot_provisioning", "category": "infrastructure", "default_ports": [ "tcp/6501", "tcp/6502" ], "risk": 3 }, "decryption": { "exclusions": [ "cert_pinned_app" ], "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_high_priority" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if vCenter Auto Deploy is in place for stateless ESXi host\nautomated deployment. Auto Deploy distributes ESXi images, configuration profiles, and\nvSphere assignment rules to hosts being provisioned: hosts connect to the VCSA on TCP\nports 6501 (Auto Deploy HTTP service) and 6502 (Auto Deploy HTTPS service) to receive\ntheir system image. Antivirus and IPS inspect inbound flows. Decryption is disabled\n(cert_pinned_app) as ESXi hosts network-booting use vSphere device certificates that\na proxy cannot impersonate. If provisioning uses UEFI HTTPS Boot (modern ESXi 7+ boot),\nit goes through TCP 443 (rule 1) and this rule can remain disabled.\n", "fr": "CONDITIONNEL — À n'activer QUE si Auto Deploy vCenter est en place pour le déploiement\nautomatisé d'hôtes ESXi sans état (stateless ESXi). Auto Deploy distribue les images\nESXi, les profils de configuration et les règles d'assignation vSphere aux hôtes en\ncours de provisioning : les hôtes se connectent à la VCSA sur les ports TCP 6501\n(service Auto Deploy HTTP) et 6502 (service Auto Deploy HTTPS) pour recevoir leur\nimage système. L'antivirus et l'IPS inspectent les flux entrants. Le déchiffrement est\ndésactivé (cert_pinned_app) car les hôtes ESXi en boot réseau utilisent des certificats\nvSphere que le proxy ne peut pas impersonner. Si le provisioning utilise UEFI HTTPS\nBoot (boot moderne ESXi 7+), il passe par TCP 443 (règle 1) et cette règle peut rester\ndésactivée.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "6501", "6502" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "tftp", "category": "networking", "default_ports": [ "udp/69" ], "risk": 3 }, "decryption": { "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_high_priority" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if vCenter Auto Deploy uses legacy PXE boot (BIOS or\nclassic iPXE). TFTP (UDP 69) enables download of the iPXE boot file when an ESXi\nhost being provisioned PXE-boots. This rule is unnecessary if UEFI HTTPS Boot\n(new default from ESXi 7+) is configured, as it operates entirely over HTTPS\n(rule 1 or rule 8). TFTP is an unencrypted protocol: restrict its use to the\nsegmented management network and consider migrating to UEFI HTTPS boot to eliminate\nthis flow.\n", "fr": "CONDITIONNEL — À n'activer QUE si Auto Deploy vCenter utilise le boot PXE legacy\n(BIOS ou iPXE classique). Le TFTP (UDP 69) permet le téléchargement du fichier de\nboot iPXE lors du démarrage PXE d'un hôte ESXi en provisioning. Cette règle est\ninutile si le boot réseau UEFI HTTPS (nouveau défaut ESXi 7+) est configuré, ce\ndernier passant entièrement par HTTPS (règle 1 ou règle 8). TFTP est un protocole\nnon chiffré : limiter son usage au réseau de gestion segmenté et envisager la\nmigration vers le boot UEFI HTTPS pour éliminer ce flux.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "69" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "host_lifecycle_patch_https", "category": "infrastructure", "default_ports": [ "tcp/9087" ], "depends_on": [ "dns" ], "risk": 4 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_high_priority" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if vSphere Lifecycle Manager (vLCM) is activated to drive\nupdates and check compliance of managed ESXi hosts. vLCM exposes an HTTPS patch/ESXi\nimage repository from the VCSA to hosts. If this flow is blocked, vLCM compliance\nchecks and remediations fail silently. HTTPS port 9087: the primary flow since\nvSphere 7/vLCM (replaces legacy HTTP port 9084). ssl_inbound_inspection enables\nantivirus and sandboxing inspection of distributed content (supply-chain vector if\nthe VCSA is compromised).\n", "fr": "CONDITIONNEL — À n'activer QUE si vSphere Lifecycle Manager (vLCM) est activé pour\npiloter les mises à jour et vérifier la conformité des hôtes ESXi gérés. vLCM expose\nun dépôt HTTPS de patches et d'images ESXi depuis la VCSA vers les hôtes. Si ce flux\nest bloqué, les vérifications de conformité vLCM et les remédiations échouent\nsilencieusement. Port HTTPS 9087 : flux principal depuis vSphere 7/vLCM (remplace le\nport HTTP hérité 9084). ssl_inbound_inspection permet l'inspection antivirus et\nsandboxing du contenu distribué (vecteur supply chain si la VCSA est compromise).\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" }, "sandboxing": { "enabled": true, "file_types": [ "archive", "pe" ] } }, "service": { "app_default": true, "ports": [ "9087" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "host_lifecycle_patch_legacy", "category": "infrastructure", "default_ports": [ "tcp/9084", "tcp/8083" ], "risk": 3 }, "decryption": { "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if vLCM still uses the legacy HTTP port (9084) for\ncompatibility-mode ESXi hosts, or the host configuration store access port (8083).\nIn vSphere 7+/current vLCM, the main flow goes through HTTPS 9087 (rule 10); these\nports are legacy residues. Note: since 9084 is unencrypted HTTP, consider migrating\nto 9087/HTTPS to eliminate this unencrypted flow and close this rule.\n", "fr": "CONDITIONNEL — À n'activer QUE si vLCM utilise encore le port HTTP hérité (9084)\npour des hôtes ESXi en mode de compatibilité, ou le port d'accès au magasin de\nconfiguration des hôtes (8083). En vSphere 7+/vLCM courant, le flux principal passe\npar HTTPS 9087 (règle 10) ; ces ports sont des résidus d'héritage. Note : 9084 étant\nHTTP non chiffré, envisager la migration vers 9087/HTTPS pour éliminer ce flux et\nfermer cette règle.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "9084", "8083" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "replication_management", "category": "infrastructure", "default_ports": [ "tcp/8043" ], "depends_on": [ "dns" ], "risk": 3 }, "decryption": { "exclusions": [], "mode": "ssl_inbound_inspection" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if vSphere Replication is deployed (VR Appliance). This\nSOAP flow (TCP 8043) allows the VCSA to control the vSphere Replication Appliance:\nreplication policy configuration, monitoring, failover orchestration. It is distinct\nfrom inter-ESXi replication data traffic (NBD/NFC), which belongs to a dedicated ESXi\nhost profile. ssl_inbound_inspection inspects inbound HTTPS SOAP flows to the VCSA.\n", "fr": "CONDITIONNEL — À n'activer QUE si vSphere Replication est déployé (VR Appliance).\nCe flux SOAP (TCP 8043) permet à la VCSA de piloter l'appliance vSphere Replication :\nconfiguration des politiques de réplication, monitoring, orchestration des basculements.\nIl est distinct du trafic de réplication de données inter-ESXi (NBD/NFC), qui relève\nd'une fiche dédiée aux hôtes ESXi. ssl_inbound_inspection inspecte les flux HTTPS SOAP\nentrants vers la VCSA.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "medium" } }, "service": { "app_default": true, "ports": [ "8043" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "snmp", "category": "infrastructure", "default_ports": [ "udp/161" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "inbound", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if the VCSA's SNMP agent is activated and a network\nmanagement system (NMS) performs polling. SNMPv3 with authentication and encryption\nis strongly recommended for a vSphere infrastructure (vCenter MIBs expose sensitive\ninfrastructure information). Access must be restricted to the NMS IP address. IPS\nin default mode monitors SNMP protocol anomalies (unauthorised walk attempts).\n", "fr": "CONDITIONNEL — À n'activer QUE si l'agent SNMP de la VCSA est activé et qu'un\nsystème de supervision réseau (NMS) effectue du polling. SNMP v3 avec authentification\net chiffrement est fortement recommandé pour une infrastructure vSphere (les MIB\nvCenter exposent des informations sensibles sur l'infrastructure). L'accès doit être\nrestreint à l'adresse IP du NMS. L'IPS en mode default surveille les anomalies de\nprotocole SNMP (tentatives de walk non autorisées).\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "161" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "snmp_trap", "category": "infrastructure", "default_ports": [ "udp/162" ], "risk": 2 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if SNMP trap sending is configured on the VCSA toward a\ntrap receiver (NMS). The VCSA emits SNMP UDP traps to the NMS to report vSphere\ninfrastructure events. Prefer SNMPv3 with authentication. IPS in default mode\nmonitors anomalies.\n", "fr": "CONDITIONNEL — À n'activer QUE si l'envoi de traps SNMP est configuré sur la VCSA\nvers un récepteur de traps (NMS). La VCSA émet des traps SNMP UDP vers le NMS pour\nsignaler des événements d'infrastructure vSphere. Préférer SNMP v3 avec authentification.\nL'IPS en mode default surveille les anomalies.\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "162" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "syslog", "category": "infrastructure", "default_ports": [ "udp/514", "tcp/514" ], "risk": 3 }, "decryption": { "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable ONLY if unencrypted syslog collection is configured on the VCSA\nAND the current version is vCenter Server 9.x (supported). VERSION WARNING: unencrypted\nsyslog on UDP/TCP 514 is supported in vCenter Server 9.x but is blocked and unsupported\nfrom vCenter Server 9.1 onward. If an upgrade to 9.1+ is planned, migrate to syslog\nTLS (rule 16, port 1514) BEFORE upgrading the VCSA. Unencrypted syslog exposes vCenter\nlogs to interception and tampering on the management network — prefer rule 16 in all\ncircumstances. IPS monitors flow anomalies.\n", "fr": "CONDITIONNEL — À n'activer QUE si la collecte syslog non chiffrée est configurée\nsur la VCSA ET que la version courante est vCenter Server 9.x (supporté). AVERTISSEMENT\nDE VERSION : le syslog non chiffré sur UDP/TCP 514 est supporté dans vCenter Server 9.x\nmais est bloqué et non supporté à partir de vCenter Server 9.1. Si une montée de version\nvers 9.1+ est prévue, migrer vers syslog TLS (règle 16, port 1514) AVANT la mise à\nniveau de la VCSA. Syslog non chiffré expose les journaux vCenter à l'interception et\nà la falsification sur le réseau de gestion — préférer la règle 16 en toutes\ncirconstances. L'IPS surveille les anomalies sur le flux.\n" }, "security_profiles": { "ips": { "action": "block", "min_severity": "high" } }, "service": { "app_default": true, "ports": [ "514" ], "protocol": "udp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "syslog_tls", "category": "infrastructure", "default_ports": [ "tcp/1514" ], "risk": 2 }, "decryption": { "exclusions": [ "cert_pinned_app" ], "mode": "none" }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "profile": "siem_default" }, "rationale": { "en": "CONDITIONAL — Enable if encrypted TLS syslog log collection is configured on the\nVCSA. Recommended in vCenter Server 9.x, and mandatory from vCenter Server 9.1\nonward (unencrypted syslog on 514 is blocked from that version). Recommended\nmigration path from rule 15. Decryption is disabled (cert_pinned_app) as the TLS\nsyslog collector uses a vSphere device certificate for mutual authentication.\n", "fr": "CONDITIONNEL — À activer si la collecte de logs syslog chiffrée TLS est configurée\nsur la VCSA. Recommandé en vCenter Server 9.x, et obligatoire à partir de vCenter\nServer 9.1 (le syslog non chiffré sur 514 étant bloqué dès cette version). Voie de\nmigration recommandée depuis la règle 15. Le déchiffrement est désactivé\n(cert_pinned_app) car le collecteur syslog TLS utilise un certificat d'équipement\nvSphere pour l'authentification mutuelle.\n" }, "security_profiles": { "ips": { "action": "default" } }, "service": { "app_default": true, "ports": [ "1514" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } }, { "action": "allow", "application": { "app_id": "software_update", "category": "infrastructure", "default_ports": [ "tcp/443" ], "depends_on": [ "dns", "ssl" ], "risk": 4 }, "decryption": { "exclusions": [], "mode": "ssl_forward_proxy" }, "direction": "outbound", "logging": { "log_end": true, "log_forwarding": true, "log_start": false, "profile": "siem_high_priority" }, "rationale": { "en": "The VCSA and vLCM download vCenter Server updates and ESXi patches/images from\ndl.broadcom.com, Broadcom's authenticated repository (per-support-account token,\nKB 431697). This is the only outbound Internet flow and a critical supply-chain\nvector (T1195.002): ssl_forward_proxy is mandatory to allow antivirus and sandboxing\nto inspect downloaded packages. url_filtering blocks risky categories and uncategorised\nsites.\nDEPLOYMENT ALLOW-LIST: authorise only dl.broadcom.com (active repository since\nApril 2025). DO NOT authorise the retired legacy VMware domains\n(depot.vmware.com, hostupdate.vmware.com, vapp-updates.vmware.com — HTTP 403 since\n23 April 2025, KB 390098).\nDeployment note: dl.broadcom.com uses a per-support-account authentication token;\nconfigure the SSL inspection exclusion for this specific domain at the proxy level\n(KB 431697), not a general decryption exclusion in this rule. High risk (risk 4):\nsupply-chain vector with wide blast radius on the VCSA and all managed ESXi hosts.\n", "fr": "La VCSA et vLCM téléchargent les mises à jour vCenter Server et les patches/images\nESXi depuis dl.broadcom.com, dépôt authentifié Broadcom (token par compte support,\nKB 431697). C'est le seul flux sortant vers Internet et un vecteur critique de chaîne\nd'approvisionnement (T1195.002) : ssl_forward_proxy est obligatoire pour permettre à\nl'antivirus et au sandboxing d'inspecter les paquets téléchargés. url_filtering bloque\nles catégories à risque et les sites non catégorisés.\nALLOW-LIST DE DÉPLOIEMENT : autoriser uniquement dl.broadcom.com (dépôt actif depuis\navril 2025). NE PAS autoriser les anciens domaines VMware retirés\n(depot.vmware.com, hostupdate.vmware.com, vapp-updates.vmware.com — HTTP 403 depuis\nle 23 avril 2025, KB 390098).\nNote de déploiement : dl.broadcom.com utilise un token d'authentification par compte\nsupport ; configurer l'exclusion d'inspection SSL sur ce domaine spécifique au niveau\ndu proxy déployé (KB 431697), pas une exclusion générale de déchiffrement dans cette\nrègle. Risque élevé (risk 4) : vecteur supply chain à large rayon d'impact sur la VCSA\net l'ensemble des hôtes ESXi gérés.\n" }, "security_profiles": { "antivirus": { "action": "block" }, "dns_security": { "action": "block", "sinkhole": true }, "ips": { "action": "block", "min_severity": "low" }, "sandboxing": { "enabled": true, "file_types": [ "archive", "pe" ] }, "url_filtering": { "block_categories": [ "malware", "phishing", "c2", "newly_registered_domain", "compromised" ], "credential_phishing": "block", "uncategorized_action": "block" } }, "service": { "app_default": true, "ports": [ "443" ], "protocol": "tcp" }, "zones": { "destination": [ "internet" ], "source": [ "management" ] } }, { "action": "drop", "application": { "app_id": "clear_text_hypervisor_mgmt", "category": "infrastructure", "default_ports": [ "tcp/80" ], "risk": 4 }, "direction": "internal", "logging": { "log_end": true, "log_forwarding": true, "log_start": true, "profile": "siem_high_priority" }, "rationale": { "en": "Hardening: clear-text (HTTP) communication attempts toward ESXi host management\ninterfaces are silently dropped. Modern ESXi hosts (vSphere 7+) expose their\nmanagement interfaces only over HTTPS (port 443, rule 4 — vpxd↔vpxa channel); an\nHTTP flow toward an ESXi host is either a legacy configuration residue or an attempt\nto bypass encryption (T1557 — in-flight interception, vCenter/ESXi credential theft).\nHigh-priority logging flags every attempt for investigation. Note: this rule targets\ninternal VCSA <-> ESXi host flows; the HTTP 80 to HTTPS redirect for administrator\nclients (vSphere Client) is covered by rule 3 (inbound direction).\n", "fr": "Durcissement : les tentatives de communication en clair (HTTP) vers les interfaces\nde gestion des hôtes ESXi sont bloquées silencieusement. Les hôtes ESXi modernes\n(vSphere 7+) n'exposent leurs interfaces de gestion qu'en HTTPS (port 443, règle 4 —\ncanal vpxd↔vpxa) ; un flux HTTP interne vers un hôte ESXi est soit un résidu de\nconfiguration hérité, soit une tentative de contournement du chiffrement\n(T1557 — interception en vol, vol d'identifiants vCenter/ESXi). Le log en haute\npriorité signale toute tentative pour investigation. Note : cette règle cible les\nflux internes VCSA <-> hôtes ESXi ; la redirection HTTP 80 vers HTTPS pour les\nclients administrateurs (vSphere Client) est couverte par la règle 3 (sens entrant).\n" }, "service": { "ports": [ "80" ], "protocol": "tcp" }, "zones": { "destination": [ "management" ], "source": [ "management" ] } } ], "schema_version": "1.0.0", "threat_model": { "attacker_goal": { "en": "Compromise the VCSA (vCenter Server) to pivot to ESXi hosts and their\nworkloads, or establish fleet-wide vSphere persistence (VM implant deployment,\nsecrets extraction).\n", "fr": "Compromettre la VCSA (vCenter Server) pour pivoter vers les hôtes ESXi et\nleurs charges de travail, ou établir une persistance à l'échelle du parc\nvSphere (déploiement d'implants sur les VM, extraction de secrets).\n" }, "key_controls": [ "management_zone_segmentation", "ssl_inbound_inspection", "ssl_forward_proxy", "identity_user_group_restriction", "block_cleartext_management", "update_sandboxing", "ssh_restricted_access" ], "summary": { "en": "vCenter Server (VCSA) is the single control plane of the VMware vSphere\ninfrastructure: its compromise grants access to workloads on all VM guests hosted\non managed ESXi hosts. Three attack surfaces dominate. (1) The vSphere Client/REST\nAPI (T1190, T1078): application CVEs on vCenter (many critical CVEs historically)\nor stolen SSO credentials provide initial access, followed by a pivot to ESXi hosts\nvia vpxd↔vpxa (T1210). (2) The dl.broadcom.com update channel (T1195.002): a\nmalicious package downloaded by vLCM can compromise both the VCSA and all ESXi\nhosts it drives — a supply-chain vector with a very wide blast radius.\n(3) The VCSA maintenance SSH (T1133): disabled by default in vSphere 9.0, it\nexposes a root shell if re-enabled and not disabled after a maintenance window.\nZone segmentation (management), inbound/outbound TLS inspection, and identity\ngroup restrictions (vCenter SSO) reduce these surfaces.\n", "fr": "vCenter Server (VCSA) est le plan de contrôle unique de l'infrastructure VMware\nvSphere : sa compromission donne accès aux charges de travail de toutes les VM\nhébergées sur les hôtes ESXi gérés. Trois surfaces d'attaque dominent.\n(1) Le vSphere Client/API REST (T1190, T1078) : CVE applicatives sur vCenter\n(nombreuses CVE critiques historiques) ou vol d'identifiants SSO permettent un\naccès initial, suivi d'un pivot vers les hôtes ESXi via vpxd↔vpxa (T1210).\n(2) Le canal de mises à jour dl.broadcom.com (T1195.002) : un paquet malveillant\ntéléchargé par vLCM peut compromettre la VCSA et tous les hôtes ESXi qu'elle\npilote — vecteur supply chain à très large rayon d'impact.\n(3) Le SSH de maintenance VCSA (T1133) : désactivé par défaut dans vSphere 9.0,\nil expose un shell root si ré-activé et non désactivé après intervention.\nLa segmentation de zone (management), l'inspection TLS entrante et sortante, et\nla restriction des groupes d'identité (SSO vCenter) réduisent ces surfaces.\n" } }, "title": { "en": "vCenter Server 9.0 (Broadcom/VMware vSphere)", "fr": "vCenter Server 9.0 (Broadcom/VMware vSphere)" }, "trust_tier": "community", "version": "1.0.0" }