PGU94
Contributor
Contributor

vCenter 6u2 - TCP Vulnerabilitiy issues with openssl CVE-2016-2076

Jump to solution

Hello,

I have 2 vulnerabilitiy issues detected on port "ldap (636/tcp)" and "unknow (11712/tcp)" on my vCenter 6 update 2 server =>

=========

1) "www (636/tcp)":

OpenSSL AES-NI Padding Oracle MitM Information Disclosure

  Synopsis : 

It was possible to obtain sensitive information from the remote host with TLS-enabled services.

  Description : 

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability due to an error in the implementation of ciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256.

The implementation is specially written to use the AES acceleration available in x86/amd64 processors (AES-NI). The error messages returned by the server allow allow a man-in-the-middle attacker to conduct a padding oracle attack, resulting in the ability to decrypt network traffic.

  See also : 

https://blog.filippo.io/luckyminus20/

http://www.nessus.org/u?37b909b6

https://www.openssl.org/news/secadv/20160503.txt

  Solution : 

Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later.

  Plugin Output : 

Nessus was able to trigger a RECORD_OVERFLOW alert in the

remote service by sending a crafted SSL "Finished" message.

  CVE : 

CVE-2016-2107

  BID : 

BID 89760

  Other References : 

OSVDB:137896

EDB-ID:39768

IAVA:2016-A-0113

  Nessus Plugin ID : 91572

  VulnDB ID: 383666



2) "unknow (11712/tcp)":

OpenSSL AES-NI Padding Oracle MitM Information Disclosure

  Synopsis : 

It was possible to obtain sensitive information from the remote host with TLS-enabled services.

  Description : 

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability due to an error in the implementation of ciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256.

The implementation is specially written to use the AES acceleration available in x86/amd64 processors (AES-NI). The error messages returned by the server allow allow a man-in-the-middle attacker to conduct a padding oracle attack, resulting in the ability to decrypt network traffic.

  See also : 

https://blog.filippo.io/luckyminus20/

http://www.nessus.org/u?37b909b6

https://www.openssl.org/news/secadv/20160503.txt

  Solution : 

Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later.

  Plugin Output : 

Nessus was able to trigger a RECORD_OVERFLOW alert in the

remote service by sending a crafted SSL "Finished" message.

  CVE : 

CVE-2016-2107

  BID : 

BID 89760

  Other References : 

OSVDB:137896

EDB-ID:39768

IAVA:2016-A-0113

  Nessus Plugin ID : 91572

  VulnDB ID: 383666


=========

I can't find a fix or a new version, is anyone have an idea?

Maybe, I must waiting the next vcenter update? update 3 ???

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
PGU94
Contributor
Contributor

Yes, after applying 6u3 update, my scan TCP is now clean.

View solution in original post

0 Kudos
8 Replies
SnowRanger
Contributor
Contributor

I'm experiencing the same vulnerability. I've posted about it here as well: NSX - Padding Oracle vulnerability - CVE-2016-2107

I think VMware needs to update the OpenSSL libraries within their products. I'm a bit perplexed since this vulnerability was found in April and was patched early May by OpenSSL.

If anyone knows of a way to mitigate or resolve please share!

0 Kudos
SatheshVM09
Contributor
Contributor

Yes. We also experiencing the same on 2 vCetner Server 6u2......

0 Kudos
PGU94
Contributor
Contributor

Hi SnowRanger,

Do you have received some new informations from Vmware ?

0 Kudos
baksabalazs
Contributor
Contributor

Hi,

seems to be planned in vSphere 6.0 U3, in Q1 2017.

0 Kudos
tfry
Contributor
Contributor

Are you kidding? I have been told it would be out last month. Then told end of this month. Now they are pushing this back father?

0 Kudos
baksabalazs
Contributor
Contributor

VMware vCenter Server 6.0 Update 3 Release Notes --> Update to OpenSSL. OpenSSL is updated to version 1.0.2j.

0 Kudos
Bleeder
Hot Shot
Hot Shot

Better 9+ months late than never, I guess..

0 Kudos
PGU94
Contributor
Contributor

Yes, after applying 6u3 update, my scan TCP is now clean.

0 Kudos