VMware Cloud Community
Wh33ly
Hot Shot
Hot Shot
Jump to solution

Heartbleed vulnerability OpenSSL

I see a lot of news according to the OpenSSL vulnerability a.k.a Heartbleed.

For some information :

http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/

security - Heartbleed: What is it and what are options to mitigate it? - Server Fault

https://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

I did some searching but can't seem to find any relation with VMware/ESXi

My  question is does this also impact the vSphere environment in some way ?

Tags (3)
1 Solution

Accepted Solutions
MKguy
Virtuoso
Virtuoso
Jump to solution

I hope VMware will soon release a Security Advisory clearing things up and providing updates for this horrible issue (which isn't their fault though).

The heartbleed openssl bug seems to affect ESXi as well. Recent Linux-based virtual appliances like the VCSA, vMA etc might be vulnerable too:

What versions of the OpenSSL are affected?

Status of different versions:

   OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

    OpenSSL 1.0.1g is NOT vulnerable

    OpenSSL 1.0.0 branch is NOT vulnerable

    OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug

Let's have a look at an ESXi 5.5 GA (no U1) host:

# vmware -vl

VMware ESXi 5.5.0 build-1331820

VMware ESXi 5.5.0 GA


# openssl version -a

OpenSSL 1.0.1e 11 Feb 2013

built on: Tue Feb 26 16:34:26 PST 2013

Now here's an up-to-date ESXi 5.1 U2 host:

# vmware -vl

VMware ESXi 5.1.0 build-1612806

VMware ESXi 5.1.0 Update 2


~ # openssl version -a

OpenSSL 0.9.8y 5 Feb 2013

built on: Wed Mar 20 20:44:08 PDT 2013

As you can see, ESXi 5.5 runs the vulnerable openssl 1.0.1 branch. ESXi 5.1 U2 on the other hand is using the openssl 0.9.8 branch. Hence versions prior to ESXi 5.5 should be unaffected.

I have an older vMA 5.1 virtual appliance which is unaffected as well:

# cat /etc/vma-release

vMA 5.1.0 BUILD-1062361

# cat /etc/SuSE-release

SUSE Linux Enterprise Server 11 (x86_64)

VERSION = 11

PATCHLEVEL = 2

# openssl version -a

OpenSSL 1.0.0c 2 Dec 2010

At least the Windows-based vCenter Inventory Service seems to depend on the openssl libary as well:

A 5.1 U2 vCenter seems safe though:

"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a

OpenSSL 0.9.8y 5 Feb 2013

built on: Tue Feb 12 23:38:08 2013

There are two openssl binaries on a test vCenter 5.5 GA  of mine, with one of them having a vulnerable version:

"C:\Program Files\VMware\CIS\openSSL\openssl.exe" version -a

OpenSSL 1.0.1e 11 Feb 2013

built on: Tue Feb 12 19:37:08 2013

"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a

OpenSSL 0.9.8y 5 Feb 2013

built on: Tue Feb 12 23:38:08 2013

-- http://alpacapowered.wordpress.com

View solution in original post

Reply
0 Kudos
11 Replies
MKguy
Virtuoso
Virtuoso
Jump to solution

I hope VMware will soon release a Security Advisory clearing things up and providing updates for this horrible issue (which isn't their fault though).

The heartbleed openssl bug seems to affect ESXi as well. Recent Linux-based virtual appliances like the VCSA, vMA etc might be vulnerable too:

What versions of the OpenSSL are affected?

Status of different versions:

   OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

    OpenSSL 1.0.1g is NOT vulnerable

    OpenSSL 1.0.0 branch is NOT vulnerable

    OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug

Let's have a look at an ESXi 5.5 GA (no U1) host:

# vmware -vl

VMware ESXi 5.5.0 build-1331820

VMware ESXi 5.5.0 GA


# openssl version -a

OpenSSL 1.0.1e 11 Feb 2013

built on: Tue Feb 26 16:34:26 PST 2013

Now here's an up-to-date ESXi 5.1 U2 host:

# vmware -vl

VMware ESXi 5.1.0 build-1612806

VMware ESXi 5.1.0 Update 2


~ # openssl version -a

OpenSSL 0.9.8y 5 Feb 2013

built on: Wed Mar 20 20:44:08 PDT 2013

As you can see, ESXi 5.5 runs the vulnerable openssl 1.0.1 branch. ESXi 5.1 U2 on the other hand is using the openssl 0.9.8 branch. Hence versions prior to ESXi 5.5 should be unaffected.

I have an older vMA 5.1 virtual appliance which is unaffected as well:

# cat /etc/vma-release

vMA 5.1.0 BUILD-1062361

# cat /etc/SuSE-release

SUSE Linux Enterprise Server 11 (x86_64)

VERSION = 11

PATCHLEVEL = 2

# openssl version -a

OpenSSL 1.0.0c 2 Dec 2010

At least the Windows-based vCenter Inventory Service seems to depend on the openssl libary as well:

A 5.1 U2 vCenter seems safe though:

"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a

OpenSSL 0.9.8y 5 Feb 2013

built on: Tue Feb 12 23:38:08 2013

There are two openssl binaries on a test vCenter 5.5 GA  of mine, with one of them having a vulnerable version:

"C:\Program Files\VMware\CIS\openSSL\openssl.exe" version -a

OpenSSL 1.0.1e 11 Feb 2013

built on: Tue Feb 12 19:37:08 2013

"C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a

OpenSSL 0.9.8y 5 Feb 2013

built on: Tue Feb 12 23:38:08 2013

-- http://alpacapowered.wordpress.com
Reply
0 Kudos
hostasaurus
Enthusiast
Enthusiast
Jump to solution

This is easy to test for.  You must test from a host running OpenSSL 1.0.1 though or it will not work:

openssl s_client -connect ESXHOST:443 -tlsextdebug

If you see:

TLS server extension "heartbeat" (id=15), len=1

in the output, then it's running OpenSSL 1.0.1, and based on the fact that the fix only came out yesterday, then it is therefore vulnerable.  I just tested a 5.5 build 1331820 host and it did respond with the heartbeat extension, so 5.5 is vulnerable.

MKguy
Virtuoso
Virtuoso
Jump to solution

There are already a few sites up that test for the heartbeat extension and also try to actively exploit it if it's enabled:

http://possible.lv/tools/hb/

http://filippo.io/Heartbleed/

https://www.ssllabs.com/ssltest/

I can confirm that they successfully detect a vulnerable Linux host.

If anyone happens to have or temporarily arrange for internet-facing hosts/vCenters/other vSphere products, they should give it a try.

Edit:

https://github.com/justfalter/heartbleed/blob/master/jared_stafford/heartbleed.py

Tested the above script against a 5.5 host and it reports vulnerable as expected, while <5.5 does not.

-- http://alpacapowered.wordpress.com
Reply
0 Kudos
Wh33ly
Hot Shot
Hot Shot
Jump to solution

So to wrap it up we have the versions below checked (marked in red are vulnerable)

What versions of the OpenSSL are affected?


Status of different versions:

     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

     OpenSSL 1.0.1g is NOT vulnerable

     OpenSSL 1.0.0 branch is NOT vulnerable

     OpenSSL 0.9.8 branch is NOT vulnerable


ProductBuildOpenSSL Version
ESXi 5.1 U2VMware ESXi 5.1.0 build-1612806OpenSSL 0.9.8y 5 Feb 2013
ESXi 5.5 GA (no U1)VMware ESXi 5.5.0 build-1331820OpenSSL 1.0.1e 11 Feb 2013
vCenter 5.1 U1VMware vCenter Server 5.1.0 Build 1235232OpenSSL 0.9.8t 18 Jan 2012
vCenter 5.1 U2<unknown>OpenSSL 0.9.8y 5 Feb 2013
vCenter 5.5 GA<unknown>OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 0.9.8y 5 Feb 2013
vMA 5.0 virtual appliancevMA 5.0.0 BUILD-724898OpenSSL 0.9.8j-fips 07 Jan 2009
vMA 5.1 virtual appliancevMA 5.1.0 BUILD-1062361

OpenSSL 1.0.0c 2 Dec 2010

I also noticed a similar post Patch for ESXi SSL Heartbleed vulnerability?

Reply
0 Kudos
jackshu
Enthusiast
Enthusiast
Jump to solution

I'm running vcenter 5.5.0.10000 build 1624811 appliance and it shows its running openssl version 0.9.8j

We ran a scan on our entire network and found all of our vmware hosts (5.5.0 1623387) are affected but vcenter appliance is not affected.

I've opened a ticket with vmware to find out when they plan to release a patch, so far haven't gotten very far.  They haven't even acknowledged that esxi is affected.

Reply
0 Kudos
dariusd
VMware Employee
VMware Employee
Jump to solution

For the latest on this issue, including lists of our products known to be affected, please see VMware KB: Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed".

Cyberfed27
Hot Shot
Hot Shot
Jump to solution

This sucks, I am not looking forward to having to patch our vCenter 5.5 installation. Hopefully VMware gets it right the first time as they have less than a stellar record with vCenter upgrades/patches. Definitely not going to be the first to guinea pig the solution. Like everyone else.....we are standing by...

Reply
0 Kudos
RTFM_Again
Contributor
Contributor
Jump to solution

I patched my Dev environment. 5.5 U1 to 5.5 U1a and all of my host still show the "TLS server extension "heartbeat" (id=15), len=1" value which would suggest it is still vulnerable (yes the hosts were rebooted). Also the OpenSSL on vCenter is still showing 1.0.1e

"C:\Program Files\VMware\CIS\openSSL\openssl.exe" version -a

OpenSSL 1.0.1e 11 Feb 2013

built on: Tue Feb 12 19:37:08 2013

platform: VC-WIN64A

vCenter is showing build 1750787 and ESXi hosts are showing build 1746018

So I am not sure what the deal is here. Did they even fix anything?

Is anyone else seeing this after the patch?

Reply
0 Kudos
sgarry
Contributor
Contributor
Jump to solution


I just wanted to let you know that we opened up a case with vmware in regards to the update for vCenter 175078, still showing the OpenSSL to be at 1.0.1e and they have confirmed that this is expected but as long as you have the update installed you are protected.  Below is the exact response we received:

"I have been doing my research and also clarified about this with my senior engineers.

Ultimately got to know that upgrading vCenter to 5.5.0 c fixes the Heart Bleed attack issue without upgrading the Open SSL version to 1.0.1g.

So, as per the update which i received, we are safe now and the version 1.0.1e which is showing is expected with the update but unfortunately it is not clearly documented yet in any articles of VMware."

Reply
0 Kudos
RTFM_Again
Contributor
Contributor
Jump to solution

sgarry

They added this note.

Note: These releases upgrade the OpenSSL libraries. The openssl.exe file remains unchanged and will display the same version number as it did previously.


Cheers

Reply
0 Kudos
vNEX
Expert
Expert
Jump to solution

New valuable content for this issue was published:

Posted on April 25, 2014 by Rick Blythe

Patching ESXi 5.5 for Heartbleed without installing Update 1 | VMware Support Insider - VMware Blogs

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
Reply
0 Kudos