Tenable flagging Linux proxies with vulnerable openSSL

[pmichelli]

Hello,

Our security team has found via Tenable scan that the openSSL on our Linux (Ubuntu 22) VMware proxies have a vulnerable openSSL installed. Can we expect this to be patched ?

/opt/veeam/transport/vddk_6_0/lib64/libcrypto.so.1.0.2 Reported version : 1.0.2j

"Tenable has reported that the version of OpenSSL installed on the remote host is prior to 1.0.2zi. It is, therefore, affected by a vulnerability as referenced in the 1.0.2zi advisory."

Remediation note: upgrade to OpenSSL version 1.0.2zi or later.

CVEs: CVE-2023-3446, CVE-2023-3817

Links for more information:
https://www.openssl.org/news/secadv/20230719.txt
https://www.cve.org/CVERecord?id=CVE-2023-3446
https://www.cve.org/CVERecord?id=CVE-2023-3817
https://www.openssl.org/news/secadv/20230731.txt

[Mildur]

Hello Pmichelli

Please use our Vulnerability Report form to submit any security related finding in our products.
This is our official reporting process for security related issues. Your report goes directly to the responsible team at Veeam:
https://www.veeam.com/vulnerability-disclosure.html

Best,
Fabian

[SmallsM86]

We have a customer that has the VEEAM Linux Proxy and their security systems are picking up a vulnerability with the with the transport libraries. Do we know how soon this will be fixed?

Plugin Description:

Code: Select all

The version of OpenSSL installed on the remote host is prior to 1.0.2ze. It is, therefore, affected by a vulnerability as referenced in the 1.0.2ze advisory.

- The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).

Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)
 
Plugin Output:

Path : /opt/veeam/transport/vddk_6_0/lib64/libcrypto.so.1.0.2 Reported version : 1.0.2j

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_6_0/lib64/libssl.so.1.0.2 Reported version : 1.0.2j

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_6_7/lib64/libcrypto.so.1.0.2 Reported version : 1.0.2s

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_6_7/lib64/libssl.so.1.0.2 Reported version : 1.0.2s

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_7_0/lib64/libcrypto.so.1.0.2 Reported version : 1.0.2za

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_7_0/lib64/libssl.so.1.0.2 Reported version : 1.0.2za

Fixed version : 1.0.2ze

[HannesK]

Hello,
I merged your question with a similar one one from some months ago.

Looking at the path, it looks like a VMware component where we have no influence (simply deleting it should work if you use up-ot-date vSphere). Feel free to use the upon form to get a formal answer if needed.

Best regards,
Hannes

[rickward7710]

Our scanning systems found the below Vulnerability issue with the Veeam Linix agent.
Path : /opt/veeam/transport/vddk_6_0/lib64/libcrypto.so.1.0.2
Reported version : 1.0.2j
Fixed version : 1.0.2r
Path : /opt/veeam/transport/vddk_6_0/lib64/libssl.so.1.0.2
Reported version : 1.0.2j
Fixed version : 1.0.2r

Is there an available patch or work around?? This is in out GOV environment and rather urgent to correct.

[Mildur]

Hello Rick

Please see the previous comments in this topic.

Best,
Fabian

[rickward7710]

So, are you stating that we can simply remove the “vddk_6_0” dir from the above path and that won’t affect Veeam adversely?

[Mildur]

If your machine doesn't protect VMs on vSphere 6.0 hosts, you can safely remove the folder "vddk_6_0".

For a test, you can move the folder to a temporary location before deleting it. Run your backup jobs to confirm that the job are still running without the VDDK v6 tools from VmWare.

VDDK v6 is a kit provided by VmWare. When VmWare provides an update to VDDK v6 with fixed versions of those two files, Veeam will update its products as well. But we first need an updated version from VmWare. With vSphere 6.0 already in the end of support phase, I don't expect any updates from VmWare: https://kb.vmware.com/s/article/66977

We plan to remove all VDDK versions from server with Veeam components who are not fulfilling the role of a "VmWare proxy". This will be done by an upcoming patch for Veeam Backup & Replication. But VmWare proxy server will still require the VDDK to be installed. Including VDDK v6 as long we support vSphere 6.* as a source for backup jobs.

Best,
Fabian

[pirx]

Similar issue here, securtiy team / tenable complains about libssl.so.1.0.2 in Veeam vddk 7 path being vulnerable. When will this be updated by Veeam? A fixed version is available in latest vddk version.

https://www.tenable.com/plugins/nessus/162419

Fixed version : 1.0.2zf

Code: Select all

[veeam proxy lib64]# pwd
/opt/veeam/transport/vddk_7_0/lib64

[veeam proxy lib64]# strings libssl.so.1.0.2 | grep "^OpenSSL "
OpenSSL 1.0.2za-fips  24 Aug 2021

https://docs.vmware.com/en/VMware-vSphe ... notes.html

Downloaded vddk 7.0.3.4

Code: Select all

[veeam proxy lib64]# strings libssl.so.1.0.2 | grep "^OpenSSL "
OpenSSL 1.0.2zi-fips  1 Aug 2023

[HannesK]

Hello,
I just checked with 12.1.2.172 (should be public later today / tomorrow) and it looks good

Code: Select all

root@linuxproxy:/opt/veeam/transport/vddk_7_0/lib64# strings libssl.so.1.0.2 | grep "^OpenSSL "
OpenSSL 1.0.2zi-fips  1 Aug 2023

Best regards,
Hannes

[pirx]

Thanks, nice to know that an update is on its way.