VMware Cloud Community
omadrigal
Contributor
Contributor
‎09-11-2008 05:43 PM

OpenSSH v3.6 vulnerabilities in ESX Server 3.5.0-110268

We have a ESX Server 3.5.0 build-110268 (all patches installed). However, our security operation staffs found the following vulnerabilities in OpenSSH v3.6, embedded in ESX 3:

OpenSSH Multiple Memory Management Vulnerabilities

OpenSSH Signal Handling Vulnerability (RHSA-2006-0697)

OpenSSH GSSAPI Credential Disclosure Vulnerability

OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056)

OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability

I checked the patches currently available (76) and none were required.

This is the info about OpenSSH

openssh-3.6.1p2-33.30.14vmw

openssh-server-3.6.1p2-33.30.14vmw

openssh-clients-3.6.1p2-33.30.14vmw

How can I fix these issues?

Tags (3)
Preview file
8 KB
0 Kudos
4 Replies
Texiwill
Leadership
Leadership
‎09-12-2008 05:00 AM

Hello,

Moved thread to Security and Compliance forum.

Your assessment tool is looking at the version of OpenSSH from a Linux perspective and stating it has those issues. Note this package as been modified by VMware so this test is invalid. You can not compare versions to see if these problems exist.

VMware provides OpenSSH patches occassionally you should go to http://www.vmware.com/security/ to start your research, but I think you will find that these problems do not exist. I would also change your assessment tool to be more for ESX than Linux.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
section9
Contributor
Contributor
‎12-30-2008 08:22 AM

do you have any suggestions for tuning assessment tools to more accurately detect vulnerabilities in vmware?

0 Kudos
howardcat
Contributor
Contributor
‎12-30-2008 11:00 AM

Edward makes a very important point...ESX is NOT "just another linux box" to scan. Beyond SSH, there are many aspects of the operating environment to consider for vulnerabilities.

I would also like to point out, that in my experience, running literally millions of network and host vulnerability scans over the past few years, I have rarely encountered an instance of a hypervisor vulnerability being exploited in the wild. By far and away the true "risk" when you move into virtualized environments, and statistics will bear this out, is within the VM population. Rapid Physical to Virtual (P2V) migration and consolidation has relocated many existing "host" or "server" issues, right into the VM 'version'.

Please folks, as you watch so diligently over the hypervisor, don't neglect what 20+ years of network security has taught us:

1) No silver bullets

2) Defense in depth

3) Dual controls

4) Start with the basics!

Scan your physical systems and remediate any critical risk factors PRIOR to virtualizing. At least you aren't populating your brand new virtual infrastructure with "known" vulnerabilities. And in my personal experience, they are more of a genuine risk than any combination of hypervisor "threats", real or imagined.

My 2p!

Happy Holidays and Happy New Year to all!

Best regards,

Howard

PS Everyone should buy and read Edward's book, it is a MUST HAVE for those debating any fundamental security issue.

PPS No, I don't get a commission, he has earned his stripes!

PPPS Full disclosure: I am the 'father' of the Catbird V-Agent, and Executive Advisor to the company. If you are in very restrictive environments (Government, Military, Defense, Healthcare, Finance), due to regulation or compliance issues, or plain paranoia, you should get a free copy of the just released Compliance Enforcer for VMware ESX:

The Catbird Compliance Enforcer is a free service that instantly

validates and enforces the security and compliance of virtual data

centers. Unlike passive auditing tools, the Catbird Compliance

Enforcer’s automated VM quarantine technology brings a level of

protection to VMware commensurate with industry regulations and

critical to passing traditional audits.

Sign up here for FREE! http://www2.catbird.com/our_services/enforcer_request.php

Tell them "Howard sent you..." Smiley Happy

0 Kudos
Texiwill
Leadership
Leadership
‎12-30-2008 02:13 PM

Hello,

There is currently no tool that looks at things like SSH versions to determine if there are vulnerabilities in ESX. THere are combination of tools such as Nessus, ConfigCheck from Tripwire, ConfigureSOft's Entry, VSMS, and Catbird's tool.

None of these are silver bullets but some combination is probably warranted.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos