VMware

This Question is Possibly Answered

1 "correct" answer available (10 pts) 1 "helpful" answer available (6 pts)
1 2 3 Previous Next 30 Replies Last post: May 28, 2009 4:06 PM by BacMan  

Installing ESX at a DoD facility posted: Apr 18, 2008 9:49 AM

Click to view pmorrison's profile Enthusiast
pmorrison
75 posts since
Oct 27, 2004

In order to have ESX connected to a DoD network you must pass the STIG requirements. When doing this you get several false findings like this:

PDI Number: IAVA0360
Finding Category: CAT I
Reference: IAVA 2003-A-0015
Description: There are multiple vulnerabilities in OpenSSL.
Status: Open

For example:

IAVA0360: IAVA 2003-A-0015

/usr/bin/openssl version 0.9.7a found on esx.fqdn.com 2.4.21-47.0.1.ELvmnix.

From conversations with others this is supposed to be a false finding and there are even kb articles that state such but they all refrence ESX 1.x and 2.x but nothing regarding 3.0.x or higher...

Does anyone have information that proves that this is a false finding?

Re: Installing ESX at a DoD facility

1. Apr 18, 2008 10:45 AM in response to: pmorrison
Click to view kjb007's profile Guru
kjb007
5,476 posts since
Sep 18, 2006

Basically what I've found is that the OpenSSL implements, or rather, allows SSL v2, v3 and TLS, and that in itself presents the problem. Most clients do not use the older v2 SSL, which is the version that has a few vulnerabilties, as it uses a wekaer crypto algorithm than v3 or TLS. So far, I have not found a way to limit the SSL versions in the WebAccess, which is pretty much what those are used for, at least on the ESX side. Not sure if anyone else has either, which would be very good to know. If you want to mitigate that alert, turn off WebAccess, and the port 443 scan should not find that vulnerabiltiy any longer.

Hope that helps.

-KjB

Re: Installing ESX at a DoD facility

2. Apr 18, 2008 10:55 AM in response to: kjb007
Click to view pmorrison's profile Enthusiast
pmorrison
75 posts since
Oct 27, 2004
well, the finding is not based on a port scan but on a script that is run from the host. DoD systems must pass a "Security Readiness Review" which is a shell script run on the host as root and it searches for findings. The fact that the rpm used for for openssl has an old version number is why this is showing up and based on the talk at last years VMWorld the vulnerabilities were fixed but the version number was not updated...

The KB articles 1164, 1165 and 1167 talk about this being fixed but they dont mention ESX 3.x which is why I am looking for an updated KB or anything else that can be presented to the FSO so that they will let the host on the network...

Re: Installing ESX at a DoD facility

3. Apr 18, 2008 11:12 AM in response to: pmorrison
Click to view pmorrison's profile Enthusiast
pmorrison
75 posts since
Oct 27, 2004
Just realized that this should probably be in the security/compliance forum instead of here... If a mod wants to move it then ok.. :)

Re: Installing ESX at a DoD facility

4. Apr 18, 2008 11:12 AM in response to: pmorrison
Click to view kjb007's profile Guru
kjb007
5,476 posts since
Sep 18, 2006

For that specific vulnerability:

http://www.vmware.com/security/advisories/VMSA-2008-0001.html

Re: Installing ESX at a DoD facility

5. Apr 18, 2008 11:13 AM in response to: pmorrison
Click to view Dave.Mishchenko's profile Guru
Dave.Mishchen…
8,943 posts since
Nov 15, 2005
Done.

Re: Installing ESX at a DoD facility

6. Apr 18, 2008 11:49 AM in response to: kjb007
Click to view pmorrison's profile Enthusiast
pmorrison
75 posts since
Oct 27, 2004

i wanted that to work so bad but after installing the update and rerunning the DISA SRR script i still get these findings.

==========PDI=IAVA0350 Result========================

PDI Number: IAVA0350

Finding Category: CAT III

Reference: IAVA 2003-T-0020

Description: There is a buffer mismanagement vulnerability in OpenSSH prior to version 3.7.1.

Status: Open

For example:

IAVA0350: IAVA 2003-T-0020 - OpenSSH Buffer Mismanagement flaw - has

has not been applied to host.org. The OpenSSH version is 3.6.1 and

should be greater than 3.7.1p1.

==========PDI=IAVA0360 Result========================

PDI Number: IAVA0360

Finding Category: CAT I

Reference: IAVA 2003-A-0015

Description: There are multiple vulnerabilities in OpenSSL.

Status: Open

For example:

IAVA0360: IAVA 2003-A-0015

/usr/bin/openssl version 0.9.7a found on host.org 2.4.21-47.0.1.ELvmnix.

==========PDI=IAVA0410 Result========================

PDI Number: IAVA0410

Finding Category: CAT II

Reference: IAVA 2004-B-0006

Description: Detected an OpenSSL denial of service vulnerability.

Status: Open

For example:

IAVA0410: IAVA 2004-B-0006 OpenSSL denial of service - has not been.

implemented by upgrading to OpenSSL version 0.9.7d or higher.

The version on host.org is 0.9.7a.


Re: Installing ESX at a DoD facility

7. Apr 18, 2008 11:58 AM in response to: pmorrison
Click to view kjb007's profile Guru
kjb007
5,476 posts since
Sep 18, 2006
Ok, so my question now to you would be, what is the script doing? Looking for vulnerabilties by testing for their existence, or looking for files? The advisory doc should help you with describing that your host is not vulnerable. Is that not what you wanted? I can't speak specifically to the script as I'm not exactly sure what it is doing to find vulnerabilties in the first place.

Re: Installing ESX at a DoD facility

8. Apr 18, 2008 12:12 PM in response to: kjb007
Click to view pmorrison's profile Enthusiast
pmorrison
75 posts since
Oct 27, 2004

well.. the CVE numbers dont quite match up and in order for the FSO to be happy with this being a false positive it would have to be a direct hit...

From my searches it seems that IAVA0360 (IAVA 2003-A-0015) relates to CVE CAN-2003-0543, CAN-2003-0544, CAN-2003-0545

Searching the KB, all three CVE numbers point to this article:

1165: Security Response to BugTraq 343055: Denial of Service Attack Vulnerabilities in OpenSSL Software Used in VMware GSX Server and ESX Server
the forum wont paste the url correctly but if you search for 1165 in the KB it should be the only hit.

The article would be perfect to state that this is a false finding except that it does not directly say that it relates to ESX 3.0.x or higher....

I have read on other threads that there is soon going to be a DISA STIG for ESX but untill then I have to work with what is already out there and since we were told that this was "fixed" at VMWorld I am just trying to find the documenation to back it up...

Re: Installing ESX at a DoD facility

9. Apr 18, 2008 12:25 PM in response to: pmorrison
Click to view kjb007's profile Guru
kjb007
5,476 posts since
Sep 18, 2006

Try this one, it was updated and states in which version the issue was fixed:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1167

-KjB

Re: Installing ESX at a DoD facility

10. Apr 18, 2008 12:33 PM in response to: kjb007
Click to view pmorrison's profile Enthusiast
pmorrison
75 posts since
Oct 27, 2004

Yeah I have seen that one. I guess all we can do at this point is show them these articles and tell them it's fixed... It would just be nice if either of the articles mentioned 3.x in them since I am almost certain that DISA is going to bring it up that it doesnt...

Thanks for the help.

Re: Installing ESX at a DoD facility

11. Apr 18, 2008 12:38 PM in response to: pmorrison
Click to view kjb007's profile Guru
kjb007
5,476 posts since
Sep 18, 2006
True, but the article states that the issue was fixed in 2.5.3, and now we are at 3.0.x Just like Windows, if an issue was fixed in Windows 98, do you have to have the same vulnerability now stating that the issue is not there in windows 2003? I'm not sure how that will go over, but it's worth a try.

Re: Installing ESX at a DoD facility

12. Apr 18, 2008 1:19 PM in response to: kjb007
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

STIG looks like it is inspecting the system which is just fine for a security assessment tool but if it is not designed specifically for ESX, anything it brings up is suspect. Specifically revisions.... The version # of OpenSSL that the STIG tool is using is not necessarily the same as what ESX has installed. For example, I know that VMware has patched OpenSSL several times. THey have yet to change the version # of the RPMs much. Yet they are up to date with the latest fixes.

It is not always possible to 'Upgrade' the ESX SC to fix these issues, but you have 3 choices going forward, Fix the Assessment tool (my recommendation); upgrade OpenSSL (which should not affect anything else on the system) which would require a RHEL3-ES QU6 (VI3.0.x) or RHEL3-ES QU8 (VI3.5.x) revision of the RPM; Or open a support case with your VMware Support Representative to get the issue resolved. If it was me I would open the support case but also test a later OpenSSL RPM on a system as well as offering feedback to the developers of the assessment tool.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Re: Installing ESX at a DoD facility

13. Apr 18, 2008 1:40 PM in response to: Texiwill
Click to view pmorrison's profile Enthusiast
pmorrison
75 posts since
Oct 27, 2004
Thanks for the feedback. I know for a fact that there will be an ESX STIG and SRR released soon so lets hope that when it is released it will address this issue. As soon as something is released on the DISA site I will post an update here.

Re: Installing ESX at a DoD facility

14. Apr 21, 2008 2:41 PM in response to: pmorrison
Click to view tom howarth's profile Guru
tom howarth
7,321 posts since
Jul 25, 2005
ESX is undergoing EAL4+ certification under the common criteria, this should be released imminently. once this is out we should all have a better idea of what is and is not requried for SECRET and TOP SECRET implementations requiring ESX Server

Tom Howarth
VMware Communities User Moderator

1 2 3 Previous Next Go to original post

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities