Security issue after updating to vCenter 6.0

I did a crazy thing last week, I decided to update our vCenter appliance (VCSA) from version 5.5U3a to version 6.0 Update1 3040890. I was surprised how flawlessly it went. It was finished in couple of hours, “almost” everything was working as expected, so big success 🙂

Until users started to report some permissions problems – example those who had rights only to power on VMs, couldn’t do it using WebClient with “File not found” error and so on. This wasn’t actually so big concern till I tried another thing.

I had to patch one ESXi using update manager and noticed that it is actually working and it shouldn’t. Update manager was using LocalOs account which wasn’t actually existing in the new VCSA 6.0 anymore so I started digging.

I removed permissions for my personal account and I was still able to login and do all administrators tasks. Obviously I removed it at all levels including Global Permissions. My account wasn’t showing in any GUIs, either WebClient or vSphere Client.

This is in my opinion huge security flaw as you cannot effectively revoke access for users which had it in the old vcenter 5.5.

I found kb2123931 regarding permissions in vCenter 6.0. I have tried to find my account in both new locations cis_kv_keyvalue also Lotus, but it wasn’t there.

KB is also saying VPX_Access table is not used anymore however, when I tried to select from it. I could find the all old users and their permissions including mine.

So I decided to truncate (clear) vpx_access table to see if it helps – it wasn’t supposed to be used anyway :). And it did help and looks like it was used!

After I restarted vcenter services I was finally getting “no permissions” error. And I wasn’t able to login under mine account anymore. Permissions for the others worked fine and were intact as they should be.

Steps to clear old permissions:

Take snapshot of your vCenter appliance

Follow kb2123931  until step 6 to enter into Postgres shell.

to see records in the old table enter:

select * from vpx_access;

to delete records (not table)

truncate vpx_access;

restart vcenter services as instructed in kb:

service-control --stop --all

service-control --start --all

another error which it fixed for my account was error when trying to search using vSphere Client:

Unable to connect to web services to execute query. Verify that the ‘VMware VirtualCenter Management Webservices’ service is running on https://vcenter:443/invsvc”

The following two tabs change content below.

• Bio
• Latest Posts

Dusan Tekeljak

With over 12 years of experience in the Virtualization field, currently working as a Senior Consultant for Evoila, contracted to VMware PSO, helping customers with Telco Cloud Platform bundle. Previous roles include VMware Architect for Public Cloud services at Etisalat and Senior Architect for the VMware platform at the largest retail bank in Slovakia. Background in closely related technologies includes server operating systems, networking, and storage. A former member of the VMware Center of Excellence at IBM and co-author of several Redpapers. The main scope of work involves designing and optimizing the performance of business-critical virtualized solutions on vSphere, including, but not limited to, Oracle WebLogic, MSSQL, and others. Holding several industry-leading IT certifications such as VCAP-DCD, VCAP-DCA, VCAP-NV, and MCITP. Honored with #vExpert2015-2019 awards by VMware for contributions to the community. Opinions are my own!

Latest posts by Dusan Tekeljak (see all)

• VM Latency Sensitivity set to High still fails with no (proper) warning - June 27, 2024
• ESXi 6.7 U1 fixes: APD and VMCP is not triggered even when no paths can service I/Os - November 30, 2018
• Update manager error: hosts could not enter maintenance mode - November 19, 2018