We had a Pen Test done recently on a couple of vBlocks that we need some security accreditation against. (See how I’m being vague there for security reasons 😉
One of the items that came up was a weak cipher on port 10109 of the vCenter server.
Zut Alors! That sounds serious, well it might be.
Not seeing a way to update the service which was opening this port (vCenter Inventory Service) I did what we would all do, which was search for the KB article. Impressively there was an article referring to my exact issue, nice!
Well it was until I read it. The advice was to “disable the firewall rule preventing access to this port”.
This is actually back to front. As I found in Windows Firewall there is actually an allow rule for
“vCenter Inventory Service – Service Management Port”
So what is required is actually that port to be disabled. Simply change the Windows Firewall Rule.
- Right click the rule called “vCenter Inventory Service – Service Management Port”
- On the general tab under action change “Allow the connection” to “Block the connection”
- Test you can no longer telnet to port 10109 remotely
This was confirmed after logging a call with VMWare (the KB article does state that the port is used for debugging and is used by any external agent.
Hopefully the KB will be updated soon