VMware Cloud Community
Russv99
Contributor
Contributor
Jump to solution

Sweet32 Ciphers and 6.7 ESXi

Hi,

Has anyone had an issue with a v6.7 ESXi and Sweet32 Ciphers. Our corporate Qualys scan is says it's detecting potential Birthday attacks "against TLS ciphers with 64bit block size vulnerability (Sweet32)" on Port 9080, used by the I/O Filter Service.

I've researched and not found any information specific to ESXi servers, other VMware products, yes, but not ESXi's. I have already disabled TLS 1.0 and 1.1 using the TLS Reconfiguration Utility.

I am hoping this is a false positive.

Thanks

1 Solution

Accepted Solutions
Russv99
Contributor
Contributor
Jump to solution

A colleague raised a ticket with VMware for this and a summary of the answer provided is;

There is currently no permanent solution for this, it will be fixed in ESXi 6.7 P07 which will be released in Q1 of this year (before the end of March).

The ipfiltervpd service is not a critical one for ESXi's and it can be stopped until the fixed version is released.

ipfiltervpd service information below;

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC... 

https://techpartnerhub.vmware.com/programs/vaio-vsphere-apis-for-i-o-filtering

 

View solution in original post

3 Replies
Zabir89
Contributor
Contributor
Jump to solution

We have the same vulnerability in the ESXi host. please suggest the remediation steps.

Issue IDIssue Title
38657Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
Thanks Zabir
csanchez3
Contributor
Contributor
Jump to solution

Port 9080 accepts connections using weak ciphers. An easy way to check this is to ssh into ESXi and run these commands:

openssl s_client -connect 127.0.0.1:9080 -cipher DES-CBC3-SHA

openssl s_client -connect 127.0.0.1:9080 -cipher ECDHE-RSA-DES-CBC3-SHA

Both of these connect for me. Neither should.

I'm seeing this in ESXi 6.7.0 build 18828794. My older ESXi 6.7.0 build 17167734 systems are not affected.

Tags (1)
Reply
0 Kudos
Russv99
Contributor
Contributor
Jump to solution

A colleague raised a ticket with VMware for this and a summary of the answer provided is;

There is currently no permanent solution for this, it will be fixed in ESXi 6.7 P07 which will be released in Q1 of this year (before the end of March).

The ipfiltervpd service is not a critical one for ESXi's and it can be stopped until the fixed version is released.

ipfiltervpd service information below;

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC... 

https://techpartnerhub.vmware.com/programs/vaio-vsphere-apis-for-i-o-filtering