VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
7 Replies Last post: Aug 11, 2009 9:02 AM by Texiwill  

SSL Server support weak encryption posted: Jul 1, 2009 2:30 AM

Click to view MAD1969's profile Lurker
MAD1969
1 posts since
Feb 4, 2008

Completed a vulnerability study on our ESX 3.5 environment and its high lighted (SSL (Sercure Socket Layer) Server support weak encryption keys, which are defined as encryption keys with lengths of less 128 bits. Message encypted with weak encryption keys are relatively easy for an unauthorized user decrpt) on port 443.

I have looked at the VMware Secuirty Hardening document and it say that it Must always be available.

Should this be left allow, or is there anything I can do to correct this?

Thanks

Re: SSL Server support weak encryption

1. Jul 1, 2009 10:33 AM in response to: MAD1969
Click to view Texiwill's profile Guru
Texiwill
10,213 posts since
Jan 13, 2004
Hello,

Moved to the Security Forum.

Welcome to the forums. The big issue about this question, and it actually comes up a lot, is how the 'tool' you are using is finding this vulnerability. I imagine it is looking at the version of OpenSSL installed on the host and not actually trying to run an exploit. If it is looking at the version # then it is a false positive, as like RedHat, VMware backports changes into OpenSSL without changing the version number of the package.

If it is testing the certificates in use, then replace the self-signed certificates with your own signed certificates.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: SSL Server support weak encryption

2. Aug 10, 2009 12:50 AM in response to: Texiwill
Click to view glopglop's profile Lurker
glopglop
3 posts since
Apr 16, 2005

SSL Server Weak encryption is not done by checking openssl version but by simply trying to open a connection using a weak cipher.

For example on ESX 3.5, the following weak ciphers are detected (56 bit encryption).

CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
SSLv3 WEAK CIPHERS          
EXP1024-RC4-SHA RSA(1024) RSA SHA1 RC4(56) LOW
EXP1024-DES-CBC-SHA RSA(1024) RSA SHA1 DES(56) LOW
DES-CBC-SHA RSA RSA SHA1 DES(56) LOW
TLSv1 WEAK CIPHERS          
EXP1024-RC4-SHA RSA(1024) RSA SHA1 RC4(56) LOW
EXP1024-DES-CBC-SHA RSA(1024) RSA SHA1 DES(56) LOW
DES-CBC-SHA RSA RSA SHA1 DES(56) LOW


You can test it by running:

openssl s_client -connect <hostname of ESX console>:443 -cipher DES-CBC-SHA

If you are getting an answer, then the weak cipher is supported.

So the question remains open. Is there a way to we enforce only strong cipher.

Re: SSL Server support weak encryption

3. Aug 10, 2009 7:51 AM in response to: glopglop
Click to view rrandell's profile Enthusiast
rrandell
61 posts since
Aug 9, 2007
It is the case that these weaker ciphers are currently supported. This is being addressed, but IMHO the risk is VERY minimal. The fact is that the only way this risk could be realized is if one of your administrators used a browser that only supported the weak ciphers. The VIC, nor do most modern browsers support weak ciphers. From my perspective, this is more of a concern for a public facing website to allow this, since you don't necessarily know what the "users" of the website are using for their browser. In a corporate environment, you should be able to control what browser your administrators are using which will completely mitigate this risk.

Re: SSL Server support weak encryption

4. Aug 10, 2009 8:09 AM in response to: rrandell
Click to view Texiwill's profile Guru
Texiwill
10,213 posts since
Jan 13, 2004
Hello,

The only way I know to do this would be to recompile openSSL without those ciphers. I am glad the test is more than just looking at version numbers. But as Rob stated, your management network should be protected with a well defined set of tools connecting to it.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: SSL Server support weak encryption

5. Aug 10, 2009 11:45 AM in response to: rrandell
Click to view glopglop's profile Lurker
glopglop
3 posts since
Apr 16, 2005


I tend to agree with you that the risk is minimal but some security officers/auditors like to have "clean" scan results.

It is good to know that this is being addressed as this will avoid lenghty discussions with auditors in the future.

Re: SSL Server support weak encryption

6. Aug 10, 2009 11:54 AM in response to: Texiwill
Click to view glopglop's profile Lurker
glopglop
3 posts since
Apr 16, 2005

Openssl recompile is not needed to disable weak ciphers. This is usally a server side option/configuration of the application using openssl.

For example, in Apache/mod_ssl this is controlled by SSLCipherSuite parameter, in Tomcat, this is controlled by ciphers parameter in the server.xml config file, ....

For VMware there seems to be no way to configure this but this is currently addressed according the rrandel previous post.

Re: SSL Server support weak encryption

7. Aug 11, 2009 9:02 AM in response to: glopglop
Click to view Texiwill's profile Guru
Texiwill
10,213 posts since
Jan 13, 2004
Hello,

You could change it in these files.... Not sure what would happen but do not think it is an issue.....

/usr/lib/vmware/webAccess/tomcat/*/conf/server.xml

However, not everything uses tomcat either so there are other concerns as well. This just fixes it for webAccess which includes anything using the VI-SDK, etc.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities