• Category Archives vCenter
  • Heartbleed – OpenSSL Vulnerability in a Citrix Enviornment

    There is a lot of news and chatter going on around right now about the OpenSSL vulnerability Heartbleed. This is a critical issue. as documented here. So what is Heartbleed and what makes it so dangerous.

    The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

    This is a very wide reaching issue and considered critical. Patching OpenSSL or products alone will not be enough to solve the issue. Your certificates would have to either be regenerated or rekeyed and depending on how your programs interact this may require additional work for programs that connect to each other such as XenDesktop connecting to a vSphere instance as it imports the certificate for trust so if you update vSphere certificate you also need to import your new vCenter certificate into XenDesktop.

    Citrix has released a Security Advisory detailing the products affected by Heartbleed. Other vendors are also coming out with articles detailing their products affected such as VMware EMC and Cisco.  Per the Security Advisory released from Citrix most of the products that Citrix has in its portfolio are unaffected but check the article to confirm and they are still researching some of their products.

    Many Citrix environments run on VMware vSphere and some versions such as vSphere 5.5 are affected by Heartbleed. XenDesktop (any version) as well as XenApp 7.x and higher are dependent on the certificate that vCenter uses. If you resolve the issue and regenerate the certificate for your vCenter, you will need to import the certificate into XenDesktop following these instructions again that were completed on the initial setup.

    My general advice is to find and document the items in your environment that are affected and map out any dependencies and create an attack plan to resolve these as this is a major compromise in your security. If you aren’t sure of what those may be, reach out to your partners who may have detailed information on what to look for.

  • vCenter Certificate Automation Tool

    VMware announced a new tool on 4/4/2013 that aims to help with the certificate deployments in vSphere 5.1, you can read the notes on the product below and download the vCenter Certicate Automation Tool here.

    From the Installation Document:

    VMware is announcing the release of the vCenter Certificate Tool 1.0. This tool will help customers’ update the certificates needed for running vCenter Server and supporting components. This is mostly for customers who use custom certificates either generated internally from Corporate CAs or from public CA’s like VeriSign.

    Various components within vSphere and vCenter platform use certificates for identifying themselves as well as for secure communication with external software entities (browsers, API clients).  These can broadly be classified into the following categories:

    a)    STS Certificate – Certificate used by vCenter Single Sign On (SSO) for encryption the SAML 2.0 tokens
    b)   Solution User Certificates – Certificates used by each solution to identify themselves as users to SSO
    c)    SSL Certificates  – certificates needed for SSL communication for the UI and API layer
    d)   Host Certificates – These certificates are deployed in each ESXi host and used for secure vCenter to ESXi communication.

    The certificate tool automates the update of certificates in the management layer only (a, b, c above). This tool does NOT handle replacement of certificates in ESXi hosts.

    The vCenter Cert Tool aims to automate the process of uploading certificates and restarting the following components within the vCenter platform:

    1.     vCenter Server
    2.     vCenter Single Sign On
    3.     vCenter Inventory Service
    4.     vSphere Web Client
    5.     vCenter Log Browser
    6.     VMware Update Manager (VUM)
    7.     vCenter Orchestrator (VCO)