5 Replies Latest reply on Jun 26, 2020 10:07 AM by wubtub

    vCSA 6.5 and qualys scan

    carlosCRO Lurker

      Hi,

      I'm getting several vulnerabilities in the latest vCSA version after TLS reconfiguration tool to disable TLSv1:

      QID 38604 - TLS CBC Incorrect Padding Abuse Vulnerability port 1514/tcp over SSL

      QID 11827 - HTTP Security Header Not Detected port 443/tcp, port 5480/tcp,

       

      On ESXi hosts:

      QID 86476 - Web Server Stopped Responding port 9080/tcp over SSL

      QID 11827 - HTTP Security Header Not Detected port 443/tcp

       

      Can someone help me to point to right direction to resolve this issues?

        • 1. Re: vCSA 6.5 and qualys scan
          HassanAlKak88 Expert
          vExpert

          Hello,

          kindly find Following :  Disable TLS Versions on ESXi Hosts

           

           

          Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.

           

          Cheers,

          VCIX6-NV|VCP-NV|VCP-DC|

          @KakHassan

          linkedin.com/in/hassanalkak

          • 2. Re: vCSA 6.5 and qualys scan
            carlosCRO Lurker

            Hi,

            I followed this procedure already and the result after Qualys scan are those vulnerabilities on vcsa and esxi hosts.

            Can't find any guidance how to correct it.

             

            Best regards,

            Nenad

            • 3. Re: vCSA 6.5 and qualys scan
              vmadmin1251 Lurker

              Did you ever get this resolved? We just got this on a scan too. TLSv1.2 is only protocol enabled.

              • 4. Re: vCSA 6.5 and qualys scan
                vmadmin1251 Lurker

                FWIW for QID 38604 we got this response from VMware.

                 

                 

                The Qualysis Bug ID: 38604 is a false positive, we had filed an internal Bug to track if the the qualysis report was a vulnerability, and the result shared is below.

                "The selected cipher "ECDHE-RSA-AES256-SHA384" is from "TLSv1/SSLv3" family, that doesn't mean the server is supporting SSLv3 protocol.
                Protocol used is "Protocol : TLSv1.2" and no issues observed here.
                It is possible that Qualys are flagging QID 38604 as it picks up on ECDHE-RSA-AES256-SHA384 which belongs to the SSLv3 family (although not in use). This is an assumption, we don't have information as to why Qualys are flagging this."
                Conclusion:- vCSA does not use the SSLv3 protocol on port 1514 so this is a false positive.

                 

                • 5. Re: vCSA 6.5 and qualys scan
                  wubtub Lurker

                  Howdy,

                  I know this post is old, but figured I would reply anyways.

                  Beware - An update to the appliance might revert these changes, I have no idea.

                   

                  I get this one all the time: QID 11827 - HTTP Security Header Not Detected port 443/tcp, port 5480/tcp

                  Try this in /etc/applmgmt/appliance/lighttpd.conf:

                  setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge",
                                                 "X-Frame-Options" => "Deny",
                                                 "Cache-Control" => "max-age=0, no-store, no-cache, must-revalidate, no-cache=set-cookie",
                                                 "Pragma" => "nocache",
                                                 "X-XSS-Protection" => "1; mode=block",
                                                 "X-Content-Type-Options" => "nosniff",
                                                 "Strict-Transport-Security" => "31536000; includeSubdomains" )
                  

                  Then systemctl restart vami-lighttp

                   

                  I ran into this issue as well: QID 38604 - TLS CBC Incorrect Padding Abuse Vulnerability port 1514/tcp over SSL

                  Qualys doesn't care if only TLS 1.2 is enabled, it's not actually testing a handshake as that would incur too much load on some systems.  I think all it does is scan files for text and issue status commands to services.  The mere presence of a bad cipher in any conf file or command output causes Qualys to whine.  Rsyslog uses gnutls, whose settings are /etc/gnutls/default-priorities:

                   

                  SYSTEM=NONE:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+AEAD:+SHA384:+SHA256:+SHA1:+COMP-NULL:+VERS-TLS1.2:+SIGN-RSA-SHA224:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-DSA-SHA224:+SIGN-DSA-SHA256:+SIGN-ECDSA-SHA224:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+CTYPE-OPENPGP:+CTYPE-X509:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-256-GCM:-CAMELLIA-128-GCM

                   

                  I changed this ^ to this v  (In addition to running /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc update -p TLSv1.2)

                   

                  SYSTEM=NONE:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:+RSA:+SHA1:+COMP-NULL

                   

                  I got a clean scan!

                   

                  You might also be able to, in /etc/rsyslog.conf, manually load this module like this at the top of your conf:

                  module( load="imtcp"
                          streamdriver.name="gtls"
                          streamdriver.mode="1"
                          streamdriver.authmode="anon"
                          gnutlsprioritystring="NONE:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:+VERS-TLS1.2:+RSA:+SHA1:+COMP-NULL"
                          )
                  input(type="imtcp" port="1514")
                  

                  Then systemctl restart rsyslog

                   

                  Let me know if this works out for anyone else!