vSphere Client and vSphere Web Client extensions run at the same privilege level as the user who is logged in. A malicious extension can masquerade as a useful plug-in and perform harmful operations such as stealing credentials or changing the system configuration. To increase security, use an installation that includes only authorized extensions from trusted sources.
A vCenter installation includes an extensibility framework for the vSphere Client and the vSphere Web Client. You can use this framework to extend the clients with menu selections or toolbar icons. The extensions can provide access to vCenter add-on components or external, Web-based functionality.
Using the extensibility framework results in a risk of introducing unintended capabilities. For example, if an administrator installs a plug-in in an instance of the vSphere Client, the plug-in can run arbitrary commands with the privilege level of that administrator.
To protect against potential compromise of your vSphere Client or vSphere Web Client, examine all installed plug-ins periodically and make sure that each plug-in comes from a trusted source.
You must have privileges to access the vCenter Single Sign-On service. These privileges differ from vCenter Server privileges.
- Log in to the client as firstname.lastname@example.org or a user with vCenter Single Sign-On privileges.
- From the Home page, select Administration, then select Client Plug-Ins under Solutions.
- Examine the list of client plug-ins.