Hi,
I'm getting several vulnerabilities in the latest vCSA version after TLS reconfiguration tool to disable TLSv1:
QID 38604 - TLS CBC Incorrect Padding Abuse Vulnerability port 1514/tcp over SSL
QID 11827 - HTTP Security Header Not Detected port 443/tcp, port 5480/tcp,
On ESXi hosts:
QID 86476 - Web Server Stopped Responding port 9080/tcp over SSL
QID 11827 - HTTP Security Header Not Detected port 443/tcp
Can someone help me to point to right direction to resolve this issues?
Hello,
kindly find Following : Disable TLS Versions on ESXi Hosts
Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.
Cheers,
VCIX6-NV|VCP-NV|VCP-DC|
Hi,
I followed this procedure already and the result after Qualys scan are those vulnerabilities on vcsa and esxi hosts.
Can't find any guidance how to correct it.
Best regards,
Nenad
Did you ever get this resolved? We just got this on a scan too. TLSv1.2 is only protocol enabled.
FWIW for QID 38604 we got this response from VMware.
The Qualysis Bug ID: 38604 is a false positive, we had filed an internal Bug to track if the the qualysis report was a vulnerability, and the result shared is below.
"The selected cipher "ECDHE-RSA-AES256-SHA384" is from "TLSv1/SSLv3" family, that doesn't mean the server is supporting SSLv3 protocol.
Protocol used is "Protocol : TLSv1.2" and no issues observed here.
It is possible that Qualys are flagging QID 38604 as it picks up on ECDHE-RSA-AES256-SHA384 which belongs to the SSLv3 family (although not in use). This is an assumption, we don't have information as to why Qualys are flagging this."
Conclusion:- vCSA does not use the SSLv3 protocol on port 1514 so this is a false positive.
Howdy,
I know this post is old, but figured I would reply anyways.
Beware - An update to the appliance might revert these changes, I have no idea.
I get this one all the time: QID 11827 - HTTP Security Header Not Detected port 443/tcp, port 5480/tcp
Try this in /etc/applmgmt/appliance/lighttpd.conf:
setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
"X-Frame-Options" => "Deny",
"Cache-Control" => "max-age=0, no-store, no-cache, must-revalidate, no-cache=set-cookie",
"Pragma" => "nocache",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff",
"Strict-Transport-Security" => "31536000; includeSubdomains" )
Then systemctl restart vami-lighttp
I ran into this issue as well: QID 38604 - TLS CBC Incorrect Padding Abuse Vulnerability port 1514/tcp over SSL
Qualys doesn't care if only TLS 1.2 is enabled, it's not actually testing a handshake as that would incur too much load on some systems. I think all it does is scan files for text and issue status commands to services. The mere presence of a bad cipher in any conf file or command output causes Qualys to whine. Rsyslog uses gnutls, whose settings are /etc/gnutls/default-priorities:
SYSTEM=NONE:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+AEAD:+SHA384:+SHA256:+SHA1:+COMP-NULL:+VERS-TLS1.2:+SIGN-RSA-SHA224:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-DSA-SHA224:+SIGN-DSA-SHA256:+SIGN-ECDSA-SHA224:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+CTYPE-OPENPGP:+CTYPE-X509:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM
I changed this ^ to this v (In addition to running /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLSv1.2
)
SYSTEM=NONE:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:+RSA:+SHA1:+COMP-NULL
I got a clean scan!
You might also be able to, in /etc/rsyslog.conf, manually load this module like this at the top of your conf:
module( load="imtcp"
streamdriver.name="gtls"
streamdriver.mode="1"
streamdriver.authmode="anon"
gnutlsprioritystring="NONE:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:+RSA:+SHA1:+COMP-NULL"
)
input(type="imtcp" port="1514")
Then systemctl restart rsyslog
Let me know if this works out for anyone else!