pmorrison
Enthusiast
Enthusiast

Installing ESX at a DoD facility

In order to have ESX connected to a DoD network you must pass the STIG requirements. When doing this you get several false findings like this:

PDI Number: IAVA0360

Finding Category: CAT I

Reference: IAVA 2003-A-0015

Description: There are multiple vulnerabilities in OpenSSL.

Status: Open

For example:

IAVA0360: IAVA 2003-A-0015

/usr/bin/openssl version 0.9.7a found on esx.fqdn.com 2.4.21-47.0.1.ELvmnix.

From conversations with others this is supposed to be a false finding and there are even kb articles that state such but they all refrence ESX 1.x and 2.x but nothing regarding 3.0.x or higher...

Does anyone have information that proves that this is a false finding?

0 Kudos
30 Replies
kjb007
Immortal
Immortal

Basically what I've found is that the OpenSSL implements, or rather, allows SSL v2, v3 and TLS, and that in itself presents the problem. Most clients do not use the older v2 SSL, which is the version that has a few vulnerabilties, as it uses a wekaer crypto algorithm than v3 or TLS. So far, I have not found a way to limit the SSL versions in the WebAccess, which is pretty much what those are used for, at least on the ESX side. Not sure if anyone else has either, which would be very good to know. If you want to mitigate that alert, turn off WebAccess, and the port 443 scan should not find that vulnerabiltiy any longer.

Hope that helps.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
pmorrison
Enthusiast
Enthusiast

well, the finding is not based on a port scan but on a script that is run from the host. DoD systems must pass a "Security Readiness Review" which is a shell script run on the host as root and it searches for findings. The fact that the rpm used for for openssl has an old version number is why this is showing up and based on the talk at last years VMWorld the vulnerabilities were fixed but the version number was not updated...

The KB articles 1164, 1165 and 1167 talk about this being fixed but they dont mention ESX 3.x which is why I am looking for an updated KB or anything else that can be presented to the FSO so that they will let the host on the network...

0 Kudos
pmorrison
Enthusiast
Enthusiast

Just realized that this should probably be in the security/compliance forum instead of here... If a mod wants to move it then ok.. Smiley Happy

0 Kudos
kjb007
Immortal
Immortal

For that specific vulnerability:

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
Dave_Mishchenko
Immortal
Immortal

Done.

0 Kudos
pmorrison
Enthusiast
Enthusiast

i wanted that to work so bad but after installing the update and rerunning the DISA SRR script i still get these findings.

==========PDI=IAVA0350 Result========================

PDI Number: IAVA0350

Finding Category: CAT III

Reference: IAVA 2003-T-0020

Description: There is a buffer mismanagement vulnerability in OpenSSH prior to version 3.7.1.

Status: Open

For example:

IAVA0350: IAVA 2003-T-0020 - OpenSSH Buffer Mismanagement flaw - has

has not been applied to host.org. The OpenSSH version is 3.6.1 and

should be greater than 3.7.1p1.

==========PDI=IAVA0360 Result========================

PDI Number: IAVA0360

Finding Category: CAT I

Reference: IAVA 2003-A-0015

Description: There are multiple vulnerabilities in OpenSSL.

Status: Open

For example:

IAVA0360: IAVA 2003-A-0015

/usr/bin/openssl version 0.9.7a found on host.org 2.4.21-47.0.1.ELvmnix.

==========PDI=IAVA0410 Result========================

PDI Number: IAVA0410

Finding Category: CAT II

Reference: IAVA 2004-B-0006

Description: Detected an OpenSSL denial of service vulnerability.

Status: Open

For example:

IAVA0410: IAVA 2004-B-0006 OpenSSL denial of service - has not been.

implemented by upgrading to OpenSSL version 0.9.7d or higher.

The version on host.org is 0.9.7a.

0 Kudos
kjb007
Immortal
Immortal

Ok, so my question now to you would be, what is the script doing? Looking for vulnerabilties by testing for their existence, or looking for files? The advisory doc should help you with describing that your host is not vulnerable. Is that not what you wanted? I can't speak specifically to the script as I'm not exactly sure what it is doing to find vulnerabilties in the first place.

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
pmorrison
Enthusiast
Enthusiast

well.. the CVE numbers dont quite match up and in order for the FSO to be happy with this being a false positive it would have to be a direct hit...

From my searches it seems that IAVA0360 (IAVA 2003-A-0015) relates to CVE CAN-2003-0543, CAN-2003-0544, CAN-2003-0545

Searching the KB, all three CVE numbers point to this article:

1165: Security Response to BugTraq 343055: Denial of Service Attack Vulnerabilities in OpenSSL Software Used in VMware GSX Server and ESX Server

the forum wont paste the url correctly but if you search for 1165 in the KB it should be the only hit.

The article would be perfect to state that this is a false finding except that it does not directly say that it relates to ESX 3.0.x or higher....

I have read on other threads that there is soon going to be a DISA STIG for ESX but untill then I have to work with what is already out there and since we were told that this was "fixed" at VMWorld I am just trying to find the documenation to back it up...

0 Kudos
kjb007
Immortal
Immortal

Try this one, it was updated and states in which version the issue was fixed:

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
pmorrison
Enthusiast
Enthusiast

Yeah I have seen that one. I guess all we can do at this point is show them these articles and tell them it's fixed... It would just be nice if either of the articles mentioned 3.x in them since I am almost certain that DISA is going to bring it up that it doesnt...

Thanks for the help.

0 Kudos
kjb007
Immortal
Immortal

True, but the article states that the issue was fixed in 2.5.3, and now we are at 3.0.x Just like Windows, if an issue was fixed in Windows 98, do you have to have the same vulnerability now stating that the issue is not there in windows 2003? I'm not sure how that will go over, but it's worth a try.

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
0 Kudos
Texiwill
Leadership
Leadership

Hello,

STIG looks like it is inspecting the system which is just fine for a security assessment tool but if it is not designed specifically for ESX, anything it brings up is suspect. Specifically revisions.... The version # of OpenSSL that the STIG tool is using is not necessarily the same as what ESX has installed. For example, I know that VMware has patched OpenSSL several times. THey have yet to change the version # of the RPMs much. Yet they are up to date with the latest fixes.

It is not always possible to 'Upgrade' the ESX SC to fix these issues, but you have 3 choices going forward, Fix the Assessment tool (my recommendation); upgrade OpenSSL (which should not affect anything else on the system) which would require a RHEL3-ES QU6 (VI3.0.x) or RHEL3-ES QU8 (VI3.5.x) revision of the RPM; Or open a support case with your VMware Support Representative to get the issue resolved. If it was me I would open the support case but also test a later OpenSSL RPM on a system as well as offering feedback to the developers of the assessment tool.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
pmorrison
Enthusiast
Enthusiast

Thanks for the feedback. I know for a fact that there will be an ESX STIG and SRR released soon so lets hope that when it is released it will address this issue. As soon as something is released on the DISA site I will post an update here.

0 Kudos
TomHowarth
Leadership
Leadership

ESX is undergoing EAL4+ certification under the common criteria, this should be released imminently. once this is out we should all have a better idea of what is and is not requried for SECRET and TOP SECRET implementations requiring ESX Server

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
pmorrison
Enthusiast
Enthusiast

We talked about this in other threads but since I said I would post a link when it was available, here it is...

http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf

And the checklist:

http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_30_apr_2008.pdf

0 Kudos
surfup
Enthusiast
Enthusiast

So, what you say is we can disable WebAccess from the ESX server and that will mitigate the OpenSSL issue until you have time to patch the ESX server? How you turn the WebAccess off? Using "esxcfg-firewall" command?

Thanks.

0 Kudos
Texiwill
Leadership
Leadership

Hello,

You really can not disable webAccess if you use the VI SDK. Nor do you really want to do this.

You can close off the firewall but you WILL have an issue with all management. OpenSSL is used for more than webAccess, it is used for VIC to SC, vCenter to SC, VI SDK to SC, etc.

Not a good choice, as I stated earlier, I think it is a false positive as the test is really designed for RedHat not ESX.


Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst[/url]
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
surfup
Enthusiast
Enthusiast

Edward,

Thanks for the info. However, we need to have a short term solution to mitigate two CAT I (2003-A-015 and 2008-A-0036 with related to OpenSSL version 0.97a). As you mentioned these two CAT I are more likely "fall-positive". But, like other posters mentioned that VMware had fixed for ESX 2.5.x but there is no mention for ESX 3.x and forward and I don't have any "offcial" VMware document to back up my claimed.

I found out that VMware VMSA-2009-0004.1 patches will fix the OpenSSL issues. However, we could not implemt the patches at this time - our windows is 60 - 90 days out. So, we need to have a "short term" mitigation strategy in-place to comply with DISA.

I have found other posters mentioned that you can stop the web access service using the following command:

ESX_102# chkconfig vmware-webAccess off <Turn off ESX Web Access>

ESX_102# service vmware-webAccess stop <Disable ESX webAccess from starting on boot and stop it from running>

Granted, this will prevent unauthorized users connect to the ESX host via web interface. Is this sufficient?

Also, you mentioned that OpenSSL is use for other like VIC to SC. Do you know what version of SSL are they using? I believed SSL V2 has problem as it use weak encyption, etc. Thanks,

Cheers,

0 Kudos
dmaahs
Contributor
Contributor

Since I do not utilize the webAccess portion of ESX, I have

disabled this daemon on all my hosts. Everything is performed via

VirtualCenter and I have had no issues. I have also started using the

PowerShell tools via VirtualCenter and have not found anything yet that

would cause problems. If this is something you would like to try, at the service console use these commands..

service vmware-webAccess stop

chkconfig vmware-webAccess off

But this does not mitigate the openSSL issue, as it is used on other remote access services, like the hostd process. The problem is found and has to be address from the remote assesment tool that is used. Which at this time is Retina. The finding is "+Secure Sockets Layer (SSL) version 2 has been detected. This protocol is known

to have cryptographic weaknesses as well as other exploitable vulnerabilities+." This is because the hostd process is still listening on port 443. Only VMware can provide the fix with the ability to use SSL v3 or TLS encryption and until VMware allows something other than SSL v2 to be used, this will always be a finding.

I must respectfully disagree with Ed and say the openSSL issue does affect ESX as the finding is based on the fact that SSLv2 is used, and we cannot change that to v3 or TLS. As far as the rest of his point, test test test. If you don't use the vi sdk, or any of the other functionality provided by webaccess, you should not have any issues. Turn it off and try it. I have been running this way for over a year and have had no negative affects. The only problem I have seen is with patching. Like other findings, patching copies up new config files and can reset some of the changes that were made to harden your system.

0 Kudos