ESXi detect build number with "n"

I scanned my ESXi 6.0.0 build 5572656, VMware ESX(i) Detection (HTTP) report show a correct build number, but follow vulnerability report show a result with build number like “n”:

  • VMSA-2017-0006: VMware ESXi updates address critical and moderate security issues (remote check)
  • VMSA-2016-0002: VMware product updates address a critical glibc security vulnerability (remote check)
  • VMSA-2016-0001 VMware ESXi, Fusion, Player, and Workstation updates address important guest privilege escalation vulnerability (remote check)
  • VMSA-2016-0010 (CVE-2016-5331) ESXi: VMware product updates address multiple important security issues (remote check)
  • VMSA-2016-003: VMware ESXi updates address a cross-site scripting issue (remote check)

Thanks for your report.

There was indeed a problem with the build extraction for ESXi. This has been fixed today and the changes should arrive in the feeds in the next couple of days.

1 Like

Thanks, I updated and rescaned, the detected build number is 2494585 now, it’s still incorrect

This looks like expected. The build number is provided by ESXi via the queried API endpoint, you can check that by having a look at the “Concluded from version/product identification result:” output of the following VT:

Name: VMware ESX(i) Detection (HTTP)

VMware ESX(i) Detection (HTTP) result is correct, same as before:
Detected VMware ESXi
Version: 6.0.0
Build: 5572656
Location: /
CPE: cpe:/o:vmware:esxi:6.0.0

If the HTTP Detection-VT is showing the correct build then i don’t see any way how the Vulnerability-VT can show a different build. If we’re checking the gb_vmware_esx_web_detect.nasl VT we can see the following around line 127:

      replace_kb_item(name:"VMware/ESX/build", value:_build[1]);
      build = _build[1];

and the build variable is later used for the reporting in the Detection-VT in line 159:


as well as in the Vulnerability-VT like e.g. 2017/gb_VMSA-2017-0006_remote.nasl for the reporting:

if( ! esxBuild = get_kb_item( "VMware/ESX/build" ) ) exit( 0 );

The only real explanation for a discrepancy in the build between the HTTP Detection-VT and the Vulnerability-VT could be that the Detection is happening via SNMP (in addition to the Detection via HTTP) with the following VT and ESXi is reporting a wrong / older build number via SNMP:

Name: VMware ESX detection (SNMP)

If this is really the case then i don’t think that there is much what can be done about that if the ESXi is reporting a wrong / outdated build via SNMP.

VMware ESX(i) Detection (HTTP) result is correct from the beginning, and the Vulnerability result changed from “n” when I updated.
I cann’t find any build number from other Detection-VT, and SNMP service is stopped.
But I started SNMP service and rescanned, and a few server passed Vulnerability-VT.
That’s weird.

Yes, that is indeed very wired and (unfortunately) i don’t have any explanation for this.