Hello,

Moved thread to Security and Compliance forum.

Your assessment tool is looking at the version of OpenSSH from a Linux perspective and stating it has those issues. Note this package as been modified by VMware so this test is invalid. You can not compare versions to see if these problems exist.

VMware provides OpenSSH patches occassionally you should go to http://www.vmware.com/security/ to start your research, but I think you will find that these problems do not exist. I would also change your assessment tool to be more for ESX than Linux.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Edward makes a very important point...ESX is NOT "just another linux box" to scan. Beyond SSH, there are many aspects of the operating environment to consider for vulnerabilities.

I would also like to point out, that in my experience, running literally millions of network and host vulnerability scans over the past few years, I have rarely encountered an instance of a hypervisor vulnerability being exploited in the wild. By far and away the true "risk" when you move into virtualized environments, and statistics will bear this out, is within the VM population. Rapid Physical to Virtual (P2V) migration and consolidation has relocated many existing "host" or "server" issues, right into the VM 'version'.

Please folks, as you watch so diligently over the hypervisor, don't neglect what 20+ years of network security has taught us:

1) No silver bullets

2) Defense in depth

3) Dual controls

4) Start with the basics!

Scan your physical systems and remediate any critical risk factors PRIOR to virtualizing. At least you aren't populating your brand new virtual infrastructure with "known" vulnerabilities. And in my personal experience, they are more of a genuine risk than any combination of hypervisor "threats", real or imagined.

My 2p!

Happy Holidays and Happy New Year to all!

Best regards,

Howard

PS Everyone should buy and read Edward's book, it is a MUST HAVE for those debating any fundamental security issue.

PPS No, I don't get a commission, he has earned his stripes!

PPPS Full disclosure: I am the 'father' of the Catbird V-Agent, and Executive Advisor to the company. If you are in very restrictive environments (Government, Military, Defense, Healthcare, Finance), due to regulation or compliance issues, or plain paranoia, you should get a free copy of the just released Compliance Enforcer for VMware ESX:

The Catbird Compliance Enforcer is a free service that instantly
validates and enforces the security and compliance of virtual data
centers. Unlike passive auditing tools, the Catbird Compliance
Enforcer’s automated VM quarantine technology brings a level of
protection to VMware commensurate with industry regulations and
critical to passing traditional audits.

Sign up here for FREE! http://www2.catbird.com/our_services/enforcer_request.php

Tell them "Howard sent you..."