11 Replies Latest reply on Apr 26, 2014 2:11 PM by vNEX

    Heartbleed vulnerability OpenSSL

    Wh33ly Hot Shot

      I see a lot of news according to the OpenSSL vulnerability a.k.a Heartbleed.

       

      For some information :

      http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/

      security - Heartbleed: What is it and what are options to mitigate it? - Server Fault

      https://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities

      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

       

      I did some searching but can't seem to find any relation with VMware/ESXi

      My  question is does this also impact the vSphere environment in some way ?

        • 1. Re: Heartbleed vulnerability OpenSSL
          MKguy Virtuoso

          I hope VMware will soon release a Security Advisory clearing things up and providing updates for this horrible issue (which isn't their fault though).

           

          The heartbleed openssl bug seems to affect ESXi as well. Recent Linux-based virtual appliances like the VCSA, vMA etc might be vulnerable too:

          What versions of the OpenSSL are affected?

          Status of different versions:

             OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

              OpenSSL 1.0.1g is NOT vulnerable

              OpenSSL 1.0.0 branch is NOT vulnerable

              OpenSSL 0.9.8 branch is NOT vulnerable

           

          Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug

           

          Let's have a look at an ESXi 5.5 GA (no U1) host:

          # vmware -vl

          VMware ESXi 5.5.0 build-1331820

          VMware ESXi 5.5.0 GA


          # openssl version -a

          OpenSSL 1.0.1e 11 Feb 2013

          built on: Tue Feb 26 16:34:26 PST 2013

           

          Now here's an up-to-date ESXi 5.1 U2 host:

          # vmware -vl

          VMware ESXi 5.1.0 build-1612806

          VMware ESXi 5.1.0 Update 2


          ~ # openssl version -a

          OpenSSL 0.9.8y 5 Feb 2013

          built on: Wed Mar 20 20:44:08 PDT 2013

           

          As you can see, ESXi 5.5 runs the vulnerable openssl 1.0.1 branch. ESXi 5.1 U2 on the other hand is using the openssl 0.9.8 branch. Hence versions prior to ESXi 5.5 should be unaffected.

           

           

          I have an older vMA 5.1 virtual appliance which is unaffected as well:

          # cat /etc/vma-release

          vMA 5.1.0 BUILD-1062361

          # cat /etc/SuSE-release

          SUSE Linux Enterprise Server 11 (x86_64)

          VERSION = 11

          PATCHLEVEL = 2

           

          # openssl version -a

          OpenSSL 1.0.0c 2 Dec 2010

           

           

           

          At least the Windows-based vCenter Inventory Service seems to depend on the openssl libary as well:

          A 5.1 U2 vCenter seems safe though:

          "C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a

          OpenSSL 0.9.8y 5 Feb 2013

          built on: Tue Feb 12 23:38:08 2013

           

          There are two openssl binaries on a test vCenter 5.5 GA  of mine, with one of them having a vulnerable version:

          "C:\Program Files\VMware\CIS\openSSL\openssl.exe" version -a

          OpenSSL 1.0.1e 11 Feb 2013

          built on: Tue Feb 12 19:37:08 2013

           

          "C:\Program Files\VMware\Infrastructure\Inventory Service\bin\openssl.exe" version -a

          OpenSSL 0.9.8y 5 Feb 2013

          built on: Tue Feb 12 23:38:08 2013

          • 2. Re: Heartbleed vulnerability OpenSSL
            hostasaurus Enthusiast

            This is easy to test for.  You must test from a host running OpenSSL 1.0.1 though or it will not work:

             

            openssl s_client -connect ESXHOST:443 -tlsextdebug

             

            If you see:

             

            TLS server extension "heartbeat" (id=15), len=1

             

            in the output, then it's running OpenSSL 1.0.1, and based on the fact that the fix only came out yesterday, then it is therefore vulnerable.  I just tested a 5.5 build 1331820 host and it did respond with the heartbeat extension, so 5.5 is vulnerable.

            1 person found this helpful
            • 3. Re: Heartbleed vulnerability OpenSSL
              MKguy Virtuoso

              There are already a few sites up that test for the heartbeat extension and also try to actively exploit it if it's enabled:

              http://possible.lv/tools/hb/

              http://filippo.io/Heartbleed/

              https://www.ssllabs.com/ssltest/

               

              I can confirm that they successfully detect a vulnerable Linux host.

              If anyone happens to have or temporarily arrange for internet-facing hosts/vCenters/other vSphere products, they should give it a try.

               

              Edit:

              https://github.com/justfalter/heartbleed/blob/master/jared_stafford/heartbleed.py

              Tested the above script against a 5.5 host and it reports vulnerable as expected, while <5.5 does not.

              • 4. Re: Heartbleed vulnerability OpenSSL
                Wh33ly Hot Shot

                So to wrap it up we have the versions below checked (marked in red are vulnerable)

                What versions of the OpenSSL are affected?


                Status of different versions:

                     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

                     OpenSSL 1.0.1g is NOT vulnerable

                     OpenSSL 1.0.0 branch is NOT vulnerable

                     OpenSSL 0.9.8 branch is NOT vulnerable


                 

                ProductBuildOpenSSL Version
                ESXi 5.1 U2VMware ESXi 5.1.0 build-1612806OpenSSL 0.9.8y 5 Feb 2013
                ESXi 5.5 GA (no U1)VMware ESXi 5.5.0 build-1331820OpenSSL 1.0.1e 11 Feb 2013
                vCenter 5.1 U1VMware vCenter Server 5.1.0 Build 1235232OpenSSL 0.9.8t 18 Jan 2012
                vCenter 5.1 U2<unknown>OpenSSL 0.9.8y 5 Feb 2013
                vCenter 5.5 GA<unknown>OpenSSL 1.0.1e 11 Feb 2013
                OpenSSL 0.9.8y 5 Feb 2013
                vMA 5.0 virtual appliancevMA 5.0.0 BUILD-724898OpenSSL 0.9.8j-fips 07 Jan 2009
                vMA 5.1 virtual appliancevMA 5.1.0 BUILD-1062361

                OpenSSL 1.0.0c 2 Dec 2010

                 

                I also noticed a similar post Patch for ESXi SSL Heartbleed vulnerability?

                • 5. Re: Heartbleed vulnerability OpenSSL
                  jackshu Novice

                  I'm running vcenter 5.5.0.10000 build 1624811 appliance and it shows its running openssl version 0.9.8j

                   

                  We ran a scan on our entire network and found all of our vmware hosts (5.5.0 1623387) are affected but vcenter appliance is not affected.

                   

                  I've opened a ticket with vmware to find out when they plan to release a patch, so far haven't gotten very far.  They haven't even acknowledged that esxi is affected.

                  • 6. Re: Heartbleed vulnerability OpenSSL
                    dariusd Virtuoso
                    VMware EmployeesUser Moderators

                    For the latest on this issue, including lists of our products known to be affected, please see VMware KB: Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed".

                    1 person found this helpful
                    • 7. Re: Heartbleed vulnerability OpenSSL
                      Cyberfed27 Hot Shot

                      This sucks, I am not looking forward to having to patch our vCenter 5.5 installation. Hopefully VMware gets it right the first time as they have less than a stellar record with vCenter upgrades/patches. Definitely not going to be the first to guinea pig the solution. Like everyone else.....we are standing by...

                      • 8. Re: Heartbleed vulnerability OpenSSL
                        RTFM_Again Lurker

                        I patched my Dev environment. 5.5 U1 to 5.5 U1a and all of my host still show the "TLS server extension "heartbeat" (id=15), len=1" value which would suggest it is still vulnerable (yes the hosts were rebooted). Also the OpenSSL on vCenter is still showing 1.0.1e

                         

                        "C:\Program Files\VMware\CIS\openSSL\openssl.exe" version -a

                        OpenSSL 1.0.1e 11 Feb 2013

                        built on: Tue Feb 12 19:37:08 2013

                        platform: VC-WIN64A

                         

                        vCenter is showing build 1750787 and ESXi hosts are showing build 1746018

                         

                        So I am not sure what the deal is here. Did they even fix anything?

                        Is anyone else seeing this after the patch?

                        • 9. Re: Heartbleed vulnerability OpenSSL
                          sgarry Lurker


                          I just wanted to let you know that we opened up a case with vmware in regards to the update for vCenter 175078, still showing the OpenSSL to be at 1.0.1e and they have confirmed that this is expected but as long as you have the update installed you are protected.  Below is the exact response we received:

                           

                          "I have been doing my research and also clarified about this with my senior engineers.

                           

                          Ultimately got to know that upgrading vCenter to 5.5.0 c fixes the Heart Bleed attack issue without upgrading the Open SSL version to 1.0.1g.

                           

                          So, as per the update which i received, we are safe now and the version 1.0.1e which is showing is expected with the update but unfortunately it is not clearly documented yet in any articles of VMware."

                          • 10. Re: Heartbleed vulnerability OpenSSL
                            RTFM_Again Lurker

                            sgarry

                             

                            They added this note.

                             

                            Note: These releases upgrade the OpenSSL libraries. The openssl.exe file remains unchanged and will display the same version number as it did previously.


                            Cheers

                            • 11. Re: Heartbleed vulnerability OpenSSL
                              vNEX Expert
                              _________________________________________________________________________________________

                              If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons)

                              Regards,
                              P.