Hello,
I have 2 vulnerabilitiy issues detected on port "ldap (636/tcp)" and "unknow (11712/tcp)" on my vCenter 6 update 2 server =>
=========
1) "www (636/tcp)":
OpenSSL AES-NI Padding Oracle MitM Information Disclosure
Synopsis :
It was possible to obtain sensitive information from the remote host with TLS-enabled services.
Description :
The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability due to an error in the implementation of ciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256.
The implementation is specially written to use the AES acceleration available in x86/amd64 processors (AES-NI). The error messages returned by the server allow allow a man-in-the-middle attacker to conduct a padding oracle attack, resulting in the ability to decrypt network traffic.
See also :
https://blog.filippo.io/luckyminus20/
http://www.nessus.org/u?37b909b6
https://www.openssl.org/news/secadv/20160503.txt
Solution :
Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later.
Plugin Output :
Nessus was able to trigger a RECORD_OVERFLOW alert in the
remote service by sending a crafted SSL "Finished" message.
CVE :
BID :
Other References :
OSVDB:137896
EDB-ID:39768
IAVA:2016-A-0113
Nessus Plugin ID : 91572
VulnDB ID: 383666
2) "unknow (11712/tcp)":
OpenSSL AES-NI Padding Oracle MitM Information Disclosure
Synopsis :
It was possible to obtain sensitive information from the remote host with TLS-enabled services.
Description :
The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability due to an error in the implementation of ciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256.
The implementation is specially written to use the AES acceleration available in x86/amd64 processors (AES-NI). The error messages returned by the server allow allow a man-in-the-middle attacker to conduct a padding oracle attack, resulting in the ability to decrypt network traffic.
See also :
https://blog.filippo.io/luckyminus20/
http://www.nessus.org/u?37b909b6
https://www.openssl.org/news/secadv/20160503.txt
Solution :
Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later.
Plugin Output :
Nessus was able to trigger a RECORD_OVERFLOW alert in the
remote service by sending a crafted SSL "Finished" message.
CVE :
BID :
Other References :
OSVDB:137896
EDB-ID:39768
IAVA:2016-A-0113
Nessus Plugin ID : 91572
VulnDB ID: 383666
=========
I can't find a fix or a new version, is anyone have an idea?
Maybe, I must waiting the next vcenter update? update 3 ???
Yes, after applying 6u3 update, my scan TCP is now clean.
I'm experiencing the same vulnerability. I've posted about it here as well: NSX - Padding Oracle vulnerability - CVE-2016-2107
I think VMware needs to update the OpenSSL libraries within their products. I'm a bit perplexed since this vulnerability was found in April and was patched early May by OpenSSL.
If anyone knows of a way to mitigate or resolve please share!
Yes. We also experiencing the same on 2 vCetner Server 6u2......
Hi SnowRanger,
Do you have received some new informations from Vmware ?
Hi,
seems to be planned in vSphere 6.0 U3, in Q1 2017.
Are you kidding? I have been told it would be out last month. Then told end of this month. Now they are pushing this back father?
VMware vCenter Server 6.0 Update 3 Release Notes --> Update to OpenSSL. OpenSSL is updated to version 1.0.2j.
Better 9+ months late than never, I guess..
Yes, after applying 6u3 update, my scan TCP is now clean.