Support > Knowledge Base

Knowledge Base

Search the Knowledge Base:

Guided Search

Products:

Search In:

Security Response: Installing OpenSSL Patch to Correct CERT Vulnerabilities in VMware GSX Server 3.0.0

Details

Is GSX Server 3.0.0 exposed to the OpenSSL denial of service vulnerabilities reported in the following advisories and alerts?

OpenSSL Security Advisory [17 March 2004] (www.openssl.org/news/secadv_20040317.txt )
CERT Technical Cyber Security Alert TA04-078A (www.us-cert.gov/cas/techalerts/TA04-078A.html )
CAN-2004-0079 (cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 )
CAN-2004-0112 (cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 )
CAN-2004-0081 (cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081 )

What is VMware's response? How can I protect my GSX Server 3.0.0 systems from these vulnerabilities?

Solution

VMware GSX Server 3.0.0 (for Windows and Linux systems) build 7592 uses OpenSSL version 0.9.7c, which has known vulnerabilities that can expose systems to denial of service attacks. On March 17, 2004, an OpenSSL Security Advisory was posted identifying SSL/TLS handshake vulnerabilities that could cause OpenSSL to crash. Such a crash would interrupt GSX Server management interface and virtual machine console sessions.

All VMware GSX Server 3.0.0 (for Windows and Linux systems) build 7592 users are strongly urged to install the OpenSSL 0.9.7d patch that fixes the known OpenSSL vulnerabilities.

VMware has released GSX Server 2.5.2 to address the above vulnerabilities in GSX Server 2.x.x systems. For information on that release, see VMware Knowledge Base article 1256 at www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1256. VMware GSX Server 1.0.x does not use OpenSSL and is therefore not subject to the vulnerabilities linked above.

Patching a Windows Host

To verify if your VMware GSX Server 3.0.0 (for Windows) system has been patched, run this command from a Windows command prompt:
C:\Program Files\VMware\VMware Management Interface\openssl version

(where C:\Program Files\VMware\ is the default installation location)

If the command returns:
"OpenSSL 0.9.7d <date>" (where <date> is the date returned by the command)

your system has already been patched, no further steps are necessary.

If the command indicates an earlier version of OpenSSL, the patch is not installed on your system. Please take the following steps to install the patch.

Download the OpenSSL 0.9.7d Windows host patch (openssl-0.9.7d.zip) from www.vmware.com/download/gsx_security.html.
Power off or suspend any virtual machines that are running on the GSX Server host.
Close any open VMware Management Interface and VMware Virtual Machine Console sessions connected to the GSX Server host.
Open the Services window to stop two VMware services. Choose Start > Programs > Administrative Tools > Services. Right-click VMware Authorization Service and select Stop.
In the Services window, right-click VMware Registration Service and select Stop.
Unzip the downloaded patch.
1. Extract the files libeay32.dll and ssleay32.dll to each of the following directories:
  - C:\Program Files\VMware\VMware GSX Server
  - C:\Program Files\VMware\VMware GSX Server\bin
  - C:\Program Files\VMware\VMware GSX Server\bin-debug
  - C:\Program Files\VMware\VMware VmCOM Scripting API
  - C:\Program Files\VMware\VMware VmPerl Scripting API
  - C:\WINNT\system32
2. When asked if you want to replace the existing files, select Yes.
3. Extract openssl.exe to C:\Program Files\VMware\VMware Management Interface.
Note: If you installed in a non-default location, you must adjust the location selected for extracting the patched files.
Restart the VMware Registration Service. In the Services window, right-click VMware Registration Service and select Start.
Restart the VMware Authorization Service. In the Services window, right-click VMware Authorization Service and select Start.
You may now resume or power on any virtual machines on the GSX Server host.

Patching a Linux Host

To verify if your VMware GSX Server 3.0.0 (for Linux) system has been patched, run this command from a terminal:
/usr/lib/vmware/bin/openssl version

If the command returns:
"OpenSSL 0.9.7d <date>" (where <date> is the date returned by the command)

your system has already been patched, no further steps are necessary.

If the command indicates an earlier version of OpenSSL, the patch is not installed on your system. The patch is available for download. It contains a new version of the VMware Management Interface that includes the patched version of OpenSSL. It also contains openssl, libssl.so.0.9.7 and libcrypto.so.0.9.7. Complete the following steps to install the patch.

Download the OpenSSL 0.9.7d patch file (openssl-0.9.7d.tar.gz) from www.vmware.com/download/gsx_security.html.
Power off or suspend any virtual machines that are running on the GSX Server host.
Close any open VMware Management Interface and VMware Virtual Machine Console sessions connected to the GSX Server host.
Uninstall the VMware Management Interface.
/usr/bin/vmware-uninstall-mui.pl
Change to the directory where you downloaded the patch archive.
Untar the patch archive.
tar zxf openssl-0.9.7d.tar.gz

The archive contains the following files.
libssl.so.0.9.7
libcrypto.so.0.9.7
openssl
VMware-mui-<xxxx>.tar.gz
Copy libssl.so.0.9.7 and libcrypto.so.0.9.7 to the following directories. Replace the existing files.
/usr/lib/vmware/lib
/usr/lib/vmware-api/lib
Copy openssl to /usr/lib/vmware/bin. Replace the existing file.
Untar the management interface installation program.
tar zxf VMware-mui-<xxxx>.tar.gz
where <xxxx> is a series of numbers representing the version and build numbers.
Run the installation program.
./vmware-install.pl

The updated version of the management interface contains the correct version of openssl.
You may now resume or power on any virtual machines on the GSX Server host.

Patching a Windows Client

If your GSX Server for Linux host requires the OpenSSL patch, then you have two choices for Windows clients:

If the Linux host is already patched, connect to the VMware Management Interface on the Linux host, then download and install the Windows VMware Virtual Machine Console. See www.vmware.com/support/gsx3/doc/manage_console_upgrade_gsx.html for details.
Patch every Windows client that uses the VMware Virtual Machine Console to connect to virtual machines on the host. Complete the steps below.

If your GSX Server for Windows host requires the OpenSSL patch, then you must patch your Windows clients. Complete the following steps.

Close any open VMware Virtual Machine Console sessions on the client.
Download the patch (openssl-0.9.7d.zip) from www.vmware.com/download/gsx_security.html.
Unzip the downloaded patch.
Extract the files libeay32.dll and ssleay32.dll to each of the following directories.
C:\Program Files\VMware\VMware Virtual Machine Console
C:\Program Files\VMware\VMware Virtual Machine Console\bin
C:\Program Files\VMware\VMware Virtual Machine Console\bin-debug
Note: If you installed in a non-default location, you must adjust the location selected for extracting the patched files.

Caution: If you install the VMware Virtual Machine Console on other Windows clients, you must apply the patch to those clients.

Patching a Linux Client

If your GSX Server for Linux host requires the OpenSSL patch, then you must replace the VMware Virtual Machine Console on your Linux clients. Do one of the following:

If the Linux host is already patched, connect to the VMware Management Interface on the Linux host, then download and install the Linux VMware Virtual Machine Console. See www.vmware.com/support/gsx3/doc/manage_console_upgrade_gsx.html for details.
Download the new VMware Virtual Machine Console installation package from www.vmware.com/download/gsx_security.html. Choose between the RPM and tar installer packages.
- VMware-console-<xxxx>.i386.rpm (??MB)
  where <xxxx> is a series of numbers representing the version and build numbers.
- VMware-console-<xxxx>.tar.gz (??MB)
  where <xxxx> is a series of numbers representing the version and build numbers.

If your GSX Server for Windows host requires the OpenSSL patch, then you must replace the VMware Virtual Machine Console on your Linux clients.

Download the new VMware Virtual Machine Console installation package from www.vmware.com/download/gsx_security.html. Choose between the RPM and tar installer packages.

VMware-console-<xxxx>.i386.rpm (??MB)
where <xxxx> is a series of numbers representing the version and build numbers.
VMware-console-<xxxx>.tar.gz (??MB)
where <xxxx> is a series of numbers representing the version and build numbers.

Removing the Existing Console

Before you install the new console, uninstall the existing console on each Linux client.

To uninstall a Linux console that was installed from an RPM package, type the following
rpm -e VMware-console
To uninstall a Linux console that was installed from a tar package, run the program
/usr/bin/vmware-uninstall-console.pl

Installing the Patched Console

To install the Linux console on a client, do one of the following:

To install a Linux console from an RPM package, in a terminal type
rpm -Uhv VMware-console-<xxxx>.i386.rpm
where <xxxx> is a series of numbers representing the version and build numbers.
To install a Linux console from a tar package, in a terminal type
tar zxf VMware-console-<xxxx>.tar.gz
where <xxxx> is a series of numbers representing the version and build numbers.

Keywords

1257; urlz; alertz

Feedback

Rate this article:	1 2 3 4 5
(0 Ratings)

Permalink to: Security Response: Installing OpenSSL Patch to Correct CERT Vulnerabilities in VMware GSX Server 3.0.0

Rate this article:	1 2 3 4 5
(0 Ratings)

Actions

KB Article: 1257
Updated: Aug 14, 2009

Products:
VMware GSX Server
Product Versions:
VMware GSX Server 3.x (Linux)
VMware GSX Server 3.x (Windows)

Did this article help you?
This article resolved my issue. This article did not resolve my issue. This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)

Email address (optional)