Home > Blogs > VMware Security & Compliance Blog

Introducing VMware’s vRealize Air Compliance (vRAC)

Hola Peeps,
It is with great pleasure that I introduce our latest and greatest Compliance solution from VMware, vRealize Air Compliance!
vRAC gives you event driven compliance checks of your virtual infrastructure and tells you WHO made a non compliant change and when it occurred in near realtime! (As fast as the Seahawk’s defense making Peyton Manning choke in another Super Bowl loss)
The vRAC solution is based on SCAP content and takes minutes to install & allows you to set exceptions on the fly. We are making it available (BETA) to our customers as the audit community is starting to inspect the virtual infrastructure on a regular basis.

Sign up for the vRAC BETA here:

http://vrealizeair.vmware.com/compliance

Check out the Dashboard and Score Cards:

Dashboard

See a recent rule failure (Went from compliant to non compliant):

RecentRuleFail

Drill down to see who made the change with a time stamp:

WhoMadeChange

Set Exceptions on the fly:

Exception

Check out the vRAC video here:

https://www.youtube.com/watch?v=-Au0eec2hkU

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:

Cambio y Fuera!
George Gerchow
VMware vRealize Air Compliance Product Manager – CISSP, ITIL, CCNA, MCPS, SCP

 

 

Transparent Page Sharing – additional management capabilities and new default settings

Today VMware introduced additional capabilities to manage Transparent Page Sharing (TPS). This addition was prompted by recent academic research that leveraged TPS to gain unauthorized access to data under certain highly controlled conditions.

We also announced that starting in December with the next ESXi Update release, TPS among virtual machines will no longer be enabled by default. Even though we believe the security risk associated with enabling TPS is very low, VMware strives to be “secure by default” wherever possible.

The upcoming changes to the default TPS settings are explained in VMware Knowledge Base (KB) article 2080735. Documentation for the additional TPS management capabilities can be found in KB 2091682.

Customers are advised to review the usage of TPS in their environment (see KB 2091682) and plan for the upcoming ESXi Update releases which no longer have TPS between VM’s enabled by default. Note also that many systems utilize the hardware capabilities in modern processors to facilitate memory sharing which means large pages will be used. Due to this, TPS is likely not used except in situations where there is memory overcommitment, see KB 1021095 for further details.

We would like to thank Gorka Irazoqui, Mehmet Sinan Inci and the Vernam lab for working with VMware and sharing their side-channel research.

CVE-2014-3566 aka POODLE

Today, a new attack on SSL v3 dubbed POODLE was published. We’ve reviewed the issue and concur with the community that the issue is similar to the BEAST attack published in 2011 but more practical.

Like the BEAST attack, to exploit this vulnerability the attacker must have the capability to run his javascript in the victim’s browser and to be able to Man-in-the-Middle the connection between the client and server.  At this time we view this as a browser-based attack and do not see direct relevance to VMware’s products.

We will shortly issue a VMware Knowledge Base (KB) article for POODLE with similar guidance to that found in our BEAST KB article.

10/15 Update
We’ve published VMware Knowledge Base 2092133 with the recommendation to disable SSL v3 in your browser.

10/16 Update
Over the next few days we will begin a structured roll out to explicitly deny SSL v3 connections on all VMware websites and services. We support industry recommendations on disabling SSLv3 and requiring TLS for encrypted communication.

NSX-v 6.1 security hardening guide released for community feedback!

Hi All,
It is pleasing to announce the release of much awaited NSX-v 6.1 security hardening guide to the community for feedback and comments. Now, you can securely deploy NSX-v using the prescriptive guidelines mentioned in the guide.

Take your copy here. If you have something to say about it please write to nsxhgcomments@vmware.com and we shall get back to you.

Thanks to all the contributors for its success!

Thanks and regards,
Pravin Goyal
RHCE | HP-UX CSA | VCP | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F | CWNA | CWSP | Mobility+

New VMware Security Advisory VMSA-2014-0010 (shellshock)

Today VMware has released the following new security advisory:

VMSA-2014-0010

This advisory list the VMware product updates and patches that address the bash security issues CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187, aka shellshock. It will be updated when new product updates and patches are released in the coming days.

Customers should review the security advisory and direct any questions to VMware Support.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

10/1 Update
Following the disclosure today of two more bash vulnerabilities (CVE-2014-6277 and CVE-2014-6278, both of which are remediated by our updated products), we wanted to explain VMware’s systemic approach to addressing the bash security vulnerabilities. VMware’s Security Engineers have been closely monitoring and evaluating the various fixes being proposed within the security community. As such, VMware has adopted the more comprehensive solution suggested by Dr. Christos Zoulas of the NetBSD project last week. This broad fix removes access to the underlying function importing behavior in bash that exposes the fragile parsing code to external exploitation. We expect this broader fix to be more durable than point fixes as it will remove the risk due to future parser bugs.

VMware investigating bash command injection vulnerability aka Shell Shock (CVE-2014-6271, CVE-2014-7169)

VMware security response is aware of the security vulnerability in bash known as “Shell Shock” disclosed today (CVE-2014-6271, CVE-2014-7169). We are currently investigating the issue.

9/25 Update
We’ve published VMware Knowledge Base article 2090740, which provides the current state of our investigation into the bash issue. The article will be updated when we know more.

9/26 Update
We’ve updated VMware Knowledge Base article 2090740 and added a list of Virtual Appliances that are going to be re-released with a fix for the bash issue.

9/27 Update
We’ve added ESX(i) 4.0 and ESX(i) 4.1 to VMware Knowledge Base article 2090740. In an exception to the existing VMware lifecycle policy, we will release patches for ESX 4.0 and ESX 4.1 which are out of support. ESXi 4.0 and ESXi 4.1 are not affected.

9/30 Update
VMware Knowledge Base article 2090740 now points to VMware Security Advisory VMSA-2014-0010 which lists VMware product updates and patches that address the bash issue.

New VMware Security Advisory VMSA-2014-0009

Today VMware has released the following new security advisory:

VMSA-2014-0009

The advisory documents a critical information disclosure vulnerability, CVE-2014-3796, which has been addressed in VMware NSX 6.x Edge and vCNS 5.x Edge releases this week.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2014-0008 and updated advisories

Today VMware has released the following new and updated security advisories:
New
VMSA-2014-0008
Updated
VMSA-2014-0007.2
VMSA-2014-0006.10

The new advisory details updates of third party libraries that are present in vSphere 5.5 Update 2, which was released today.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Verify Roles and Features using VCM

CPC LogoToday, I show you how you can ensure you comply to DISA  recommendations to have only needed roles and features enabled on various Windows machines using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).

 

For this example, DISA STIG for Windows 7 Version:1 Release:16 released on 25 Jul 2014 is taken.

Below are the DISA recommendations:

  • 5.016 – IIS or its subcomponents must not be installed on a workstation
  • 5.260 – Games must not be installed on the system
  • 5.260 – Simple TCPIP Services must not be installed on the system
  • 5.260 – Telnet Server must not be installed on the system
  • 5.260 – The Telnet Client must not be installed on the system
  • 5.260 – The TFTP Client must not be installed on the system
  • 5.260 – Windows Media Center must not be installed on the system

Continue reading

Consolidated list of VMware Security Advisories

Today (8/21/2014) VMware Security Response Center is releasing a consolidated list, in the form of an Excel file (see below) of VMware Security Advisories. The list provides a single source of Security Advisories since 2012.

The list contains all affected products, versions, fix details, known workarounds, VMware Knowledge Base articles, and release notes or KBs for each CVE. This is provided so customers can import Security Advisory details into their security management systems or for patch management.

We plan to update the list each time a new or updated VMware Security Advisory is released.

Details of the contents can be found in VMware Knowledge Base article:

http://kb.vmware.com/kb/2078735

You can download the consolidated list here:

https://www.vmware.com/files/xls/security/VMWareSecurityAdvisoryList.xlsx

This document provides the following information about the affected product(s) for each Security Advisory:
  • Vulnerability Title
  • Vulnerability Description
  • Advisory Name
  • Advisory URL
  • CVE(s)
  • Affected Product
  • Affected Version
  • Affected Running on
  • Fixed Patch Release Number
  • Fixed Bulletin ID
  • Fixed Build No.
  • Knowledge Base Article associated with fix
  • Workarounds
  • Reporting Company
  • Reporting Individual
  • CVSS v2*
  • CVSS*
  • First Published Date
  • Last Update Date

Note: * CVSS details have been sourced from NIST for consistency.