Host-based backup of VMware vSphere VMs.
Post Reply
pmichelli
Expert
Posts: 115
Liked: 31 times
Joined: Mar 16, 2023 5:47 pm
Contact:

Tenable flagging Linux proxies with vulnerable openSSL

Post by pmichelli »

Hello,

Our security team has found via Tenable scan that the openSSL on our Linux (Ubuntu 22) VMware proxies have a vulnerable openSSL installed. Can we expect this to be patched ?

/opt/veeam/transport/vddk_6_0/lib64/libcrypto.so.1.0.2 Reported version : 1.0.2j

"Tenable has reported that the version of OpenSSL installed on the remote host is prior to 1.0.2zi. It is, therefore, affected by a vulnerability as referenced in the 1.0.2zi advisory."

Remediation note: upgrade to OpenSSL version 1.0.2zi or later.

CVEs: CVE-2023-3446, CVE-2023-3817

Links for more information:
https://www.openssl.org/news/secadv/20230719.txt
https://www.cve.org/CVERecord?id=CVE-2023-3446
https://www.cve.org/CVERecord?id=CVE-2023-3817
https://www.openssl.org/news/secadv/20230731.txt
Mildur
Product Manager
Posts: 10316
Liked: 2754 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Tenable flagging Linux proxies with vulnerable openSSL

Post by Mildur »

Hello Pmichelli

Please use our Vulnerability Report form to submit any security related finding in our products.
This is our official reporting process for security related issues. Your report goes directly to the responsible team at Veeam:
https://www.veeam.com/vulnerability-disclosure.html

Best,
Fabian
Product Management Analyst @ Veeam Software
SmallsM86
Service Provider
Posts: 3
Liked: never
Joined: May 22, 2017 3:17 pm
Full Name: Mike Smallwood
Contact:

[MERGED] VEEAM Proxy Transport OpenSSL Vulanerbility Case # 07097483

Post by SmallsM86 »

We have a customer that has the VEEAM Linux Proxy and their security systems are picking up a vulnerability with the with the transport libraries. Do we know how soon this will be fixed?

Plugin Description:

Code: Select all

The version of OpenSSL installed on the remote host is prior to 1.0.2ze. It is, therefore, affected by a vulnerability as referenced in the 1.0.2ze advisory.

- The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).

Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)
 
Plugin Output:

Path : /opt/veeam/transport/vddk_6_0/lib64/libcrypto.so.1.0.2 Reported version : 1.0.2j

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_6_0/lib64/libssl.so.1.0.2 Reported version : 1.0.2j

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_6_7/lib64/libcrypto.so.1.0.2 Reported version : 1.0.2s

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_6_7/lib64/libssl.so.1.0.2 Reported version : 1.0.2s

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_7_0/lib64/libcrypto.so.1.0.2 Reported version : 1.0.2za

Fixed version : 1.0.2ze

Path : /opt/veeam/transport/vddk_7_0/lib64/libssl.so.1.0.2 Reported version : 1.0.2za

Fixed version : 1.0.2ze
HannesK
Product Manager
Posts: 15146
Liked: 3241 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Tenable flagging Linux proxies with vulnerable openSSL

Post by HannesK »

Hello,
I merged your question with a similar one one from some months ago.

Looking at the path, it looks like a VMware component where we have no influence (simply deleting it should work if you use up-ot-date vSphere). Feel free to use the upon form to get a formal answer if needed.

Best regards,
Hannes
rickward7710
Lurker
Posts: 2
Liked: never
Joined: Apr 17, 2024 8:57 pm
Full Name: Rick Ward
Contact:

[MERGED] OpenSSH VUL issue

Post by rickward7710 »

Our scanning systems found the below Vulnerability issue with the Veeam Linix agent.
Path : /opt/veeam/transport/vddk_6_0/lib64/libcrypto.so.1.0.2
Reported version : 1.0.2j
Fixed version : 1.0.2r
Path : /opt/veeam/transport/vddk_6_0/lib64/libssl.so.1.0.2
Reported version : 1.0.2j
Fixed version : 1.0.2r

Is there an available patch or work around?? This is in out GOV environment and rather urgent to correct.
Mildur
Product Manager
Posts: 10316
Liked: 2754 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Tenable flagging Linux proxies with vulnerable openSSL

Post by Mildur »

Hello Rick

Please see the previous comments in this topic.

Best,
Fabian
Product Management Analyst @ Veeam Software
rickward7710
Lurker
Posts: 2
Liked: never
Joined: Apr 17, 2024 8:57 pm
Full Name: Rick Ward
Contact:

Re: Tenable flagging Linux proxies with vulnerable openSSL

Post by rickward7710 »

So, are you stating that we can simply remove the “vddk_6_0” dir from the above path and that won’t affect Veeam adversely?
Mildur
Product Manager
Posts: 10316
Liked: 2754 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Tenable flagging Linux proxies with vulnerable openSSL

Post by Mildur »

If your machine doesn't protect VMs on vSphere 6.0 hosts, you can safely remove the folder "vddk_6_0".

For a test, you can move the folder to a temporary location before deleting it. Run your backup jobs to confirm that the job are still running without the VDDK v6 tools from VmWare.

VDDK v6 is a kit provided by VmWare. When VmWare provides an update to VDDK v6 with fixed versions of those two files, Veeam will update its products as well. But we first need an updated version from VmWare. With vSphere 6.0 already in the end of support phase, I don't expect any updates from VmWare: https://kb.vmware.com/s/article/66977

We plan to remove all VDDK versions from server with Veeam components who are not fulfilling the role of a "VmWare proxy". This will be done by an upcoming patch for Veeam Backup & Replication. But VmWare proxy server will still require the VDDK to be installed. Including VDDK v6 as long we support vSphere 6.* as a source for backup jobs.

Best,
Fabian
Product Management Analyst @ Veeam Software
pirx
Veteran
Posts: 613
Liked: 92 times
Joined: Dec 20, 2015 6:24 pm
Contact:

Re: Tenable flagging Linux proxies with vulnerable openSSL

Post by pirx »

Similar issue here, securtiy team / tenable complains about libssl.so.1.0.2 in Veeam vddk 7 path being vulnerable. When will this be updated by Veeam? A fixed version is available in latest vddk version.

https://www.tenable.com/plugins/nessus/162419
Fixed version : 1.0.2zf

Code: Select all

[veeam proxy lib64]# pwd
/opt/veeam/transport/vddk_7_0/lib64

[veeam proxy lib64]# strings libssl.so.1.0.2 | grep "^OpenSSL "
OpenSSL 1.0.2za-fips  24 Aug 2021
https://docs.vmware.com/en/VMware-vSphe ... notes.html

Downloaded vddk 7.0.3.4

Code: Select all

[veeam proxy lib64]# strings libssl.so.1.0.2 | grep "^OpenSSL "
OpenSSL 1.0.2zi-fips  1 Aug 2023
HannesK
Product Manager
Posts: 15146
Liked: 3241 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Tenable flagging Linux proxies with vulnerable openSSL

Post by HannesK »

Hello,
I just checked with 12.1.2.172 (should be public later today / tomorrow) and it looks good

Code: Select all

root@linuxproxy:/opt/veeam/transport/vddk_7_0/lib64# strings libssl.so.1.0.2 | grep "^OpenSSL "
OpenSSL 1.0.2zi-fips  1 Aug 2023
Best regards,
Hannes
pirx
Veteran
Posts: 613
Liked: 92 times
Joined: Dec 20, 2015 6:24 pm
Contact:

Re: Tenable flagging Linux proxies with vulnerable openSSL

Post by pirx »

Thanks, nice to know that an update is on its way.
Post Reply

Who is online

Users browsing this forum: No registered users and 59 guests