We have a ESX Server 3.5.0 build-110268 (all patches installed). However, our security operation staffs found the following vulnerabilities in OpenSSH v3.6, embedded in ESX 3:
OpenSSH Multiple Memory Management Vulnerabilities
OpenSSH Signal Handling Vulnerability (RHSA-2006-0697)
OpenSSH GSSAPI Credential Disclosure Vulnerability
OpenSSH Local SCP Shell Command Execution Vulnerability (FEDORA-2006-056)
OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability
I checked the patches currently available (76) and none were required.
This is the info about OpenSSH
openssh-3.6.1p2-33.30.14vmw
openssh-server-3.6.1p2-33.30.14vmw
openssh-clients-3.6.1p2-33.30.14vmw
How can I fix these issues?
Hello,
Moved thread to Security and Compliance forum.
Your assessment tool is looking at the version of OpenSSH from a Linux perspective and stating it has those issues. Note this package as been modified by VMware so this test is invalid. You can not compare versions to see if these problems exist.
VMware provides OpenSSH patches occassionally you should go to http://www.vmware.com/security/ to start your research, but I think you will find that these problems do not exist. I would also change your assessment tool to be more for ESX than Linux.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
do you have any suggestions for tuning assessment tools to more accurately detect vulnerabilities in vmware?
Edward makes a very important point...ESX is NOT "just another linux box" to scan. Beyond SSH, there are many aspects of the operating environment to consider for vulnerabilities.
I would also like to point out, that in my experience, running literally millions of network and host vulnerability scans over the past few years, I have rarely encountered an instance of a hypervisor vulnerability being exploited in the wild. By far and away the true "risk" when you move into virtualized environments, and statistics will bear this out, is within the VM population. Rapid Physical to Virtual (P2V) migration and consolidation has relocated many existing "host" or "server" issues, right into the VM 'version'.
Please folks, as you watch so diligently over the hypervisor, don't neglect what 20+ years of network security has taught us:
1) No silver bullets
2) Defense in depth
3) Dual controls
4) Start with the basics!
Scan your physical systems and remediate any critical risk factors PRIOR to virtualizing. At least you aren't populating your brand new virtual infrastructure with "known" vulnerabilities. And in my personal experience, they are more of a genuine risk than any combination of hypervisor "threats", real or imagined.
My 2p!
Happy Holidays and Happy New Year to all!
Best regards,
Howard
PS Everyone should buy and read Edward's book, it is a MUST HAVE for those debating any fundamental security issue.
PPS No, I don't get a commission, he has earned his stripes!
PPPS Full disclosure: I am the 'father' of the Catbird V-Agent, and Executive Advisor to the company. If you are in very restrictive environments (Government, Military, Defense, Healthcare, Finance), due to regulation or compliance issues, or plain paranoia, you should get a free copy of the just released Compliance Enforcer for VMware ESX:
The Catbird Compliance Enforcer is a free service that instantly
validates and enforces the security and compliance of virtual data
centers. Unlike passive auditing tools, the Catbird Compliance
Enforcer’s automated VM quarantine technology brings a level of
protection to VMware commensurate with industry regulations and
critical to passing traditional audits.
Sign up here for FREE! http://www2.catbird.com/our_services/enforcer_request.php
Tell them "Howard sent you..."
Hello,
There is currently no tool that looks at things like SSH versions to determine if there are vulnerabilities in ESX. THere are combination of tools such as Nessus, ConfigCheck from Tripwire, ConfigureSOft's Entry, VSMS, and Catbird's tool.
None of these are silver bullets but some combination is probably warranted.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links