carlosCRO
Contributor
Contributor

vCSA 6.5 and qualys scan

Hi,

I'm getting several vulnerabilities in the latest vCSA version after TLS reconfiguration tool to disable TLSv1:

QID 38604 - TLS CBC Incorrect Padding Abuse Vulnerability port 1514/tcp over SSL

QID 11827 - HTTP Security Header Not Detected port 443/tcp, port 5480/tcp,

On ESXi hosts:

QID 86476 - Web Server Stopped Responding port 9080/tcp over SSL

QID 11827 - HTTP Security Header Not Detected port 443/tcp

Can someone help me to point to right direction to resolve this issues?

0 Kudos
5 Replies
HassanAlKak88
Expert
Expert

Hello,

kindly find Following :  Disable TLS Versions on ESXi Hosts

Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.

Cheers,

VCIX6-NV|VCP-NV|VCP-DC|

@KakHassan

linkedin.com/in/hassanalkak


Cheers,
vExpert2020-2019||vExpert-NSX2020||VCIX6-NV||VCAP-NV-DCV||VCP-NV-DC-CMA||CCNA-R&S
Twitter: @KakHassan
LinkedIn: linkedin.com/in/hassanalkak
0 Kudos
carlosCRO
Contributor
Contributor

Hi,

I followed this procedure already and the result after Qualys scan are those vulnerabilities on vcsa and esxi hosts.

Can't find any guidance how to correct it.

Best regards,

Nenad

0 Kudos
vmadmin1251
Contributor
Contributor

Did you ever get this resolved? We just got this on a scan too. TLSv1.2 is only protocol enabled.

0 Kudos
vmadmin1251
Contributor
Contributor

FWIW for QID 38604 we got this response from VMware.

The Qualysis Bug ID: 38604 is a false positive, we had filed an internal Bug to track if the the qualysis report was a vulnerability, and the result shared is below.

"The selected cipher "ECDHE-RSA-AES256-SHA384" is from "TLSv1/SSLv3" family, that doesn't mean the server is supporting SSLv3 protocol.
Protocol used is "Protocol : TLSv1.2" and no issues observed here.
It is possible that Qualys are flagging QID 38604 as it picks up on ECDHE-RSA-AES256-SHA384 which belongs to the SSLv3 family (although not in use). This is an assumption, we don't have information as to why Qualys are flagging this."
Conclusion:- vCSA does not use the SSLv3 protocol on port 1514 so this is a false positive.

0 Kudos
wubtub
Contributor
Contributor

Howdy,

I know this post is old, but figured I would reply anyways.

Beware - An update to the appliance might revert these changes, I have no idea.

I get this one all the time: QID 11827 - HTTP Security Header Not Detected port 443/tcp, port 5480/tcp

Try this in /etc/applmgmt/appliance/lighttpd.conf:

setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",

                               "X-Frame-Options" => "Deny",

                               "Cache-Control" => "max-age=0, no-store, no-cache, must-revalidate, no-cache=set-cookie",

                               "Pragma" => "nocache",

                               "X-XSS-Protection" => "1; mode=block",

                               "X-Content-Type-Options" => "nosniff",

                               "Strict-Transport-Security" => "31536000; includeSubdomains" )

Then systemctl restart vami-lighttp

I ran into this issue as well: QID 38604 - TLS CBC Incorrect Padding Abuse Vulnerability port 1514/tcp over SSL

Qualys doesn't care if only TLS 1.2 is enabled, it's not actually testing a handshake as that would incur too much load on some systems.  I think all it does is scan files for text and issue status commands to services.  The mere presence of a bad cipher in any conf file or command output causes Qualys to whine.  Rsyslog uses gnutls, whose settings are /etc/gnutls/default-priorities:

SYSTEM=NONE:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+AEAD:+SHA384:+SHA256:+SHA1:+COMP-NULL:+VERS-TLS1.2:+SIGN-RSA-SHA224:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-DSA-SHA224:+SIGN-DSA-SHA256:+SIGN-ECDSA-SHA224:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+CTYPE-OPENPGP:+CTYPE-X509:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM

I changed this ^ to this v  (In addition to running /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLSv1.2)

SYSTEM=NONE:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:+RSA:+SHA1:+COMP-NULL

I got a clean scan!

You might also be able to, in /etc/rsyslog.conf, manually load this module like this at the top of your conf:

module( load="imtcp"

        streamdriver.name="gtls"

        streamdriver.mode="1"

        streamdriver.authmode="anon"

        gnutlsprioritystring="NONE:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:+RSA:+SHA1:+COMP-NULL"

        )

input(type="imtcp" port="1514")

Then systemctl restart rsyslog

Let me know if this works out for anyone else!

0 Kudos