Saturday, November 19, 2016

PCI DSS / FIPS 140-2 - TLS 1.0 / 1.1 disablement and VMware products

UPDATE - 3/4/2017

With the November 15, 2016 release of vSphere 6.5 and the February 28, 2017 release of vSphere 6.0 Update 3, VMware customers now have the ability to disable TLS 1.0 and TLS 1.1 for the majority of the VMware products they use. There are a few products still being worked on and updates or releases are pending. Specific product status is outlined in kb 2145796 and there is a link to the kb article below.

NOTE: Review the kb articles closely as there are caveats for some products that are still being addressed.

NOTE: If you don't see your product or version listed in the kb article, it is very possible it will not be updated to support TLS 1.0 / 1,1 disablement. You may need to upgrade to a newer version of a product to get support for TLS 1.0 / 1,1 disablement.

TLS 1.0 disablement is critical to pass PCI DSS compliance scans and audits which must be completed by June 30, 2018. In addition to PCI DSS, there are many regulatory bodies, government agencies and company policies which have security and compliance requirements for TLS 1.0 / 1.1 disablement. This includes FIPS 140-2 standard which requires a minimum of TLS 1.1 and recommends TLS 1.2.

Before attempting to disable TLS 1.0 or TLS 1.1, it is critical to review all VMware products along with any third party products you are using, such as backup or monitoring software that talk directly with either vCenter or ESXi hosts, to make sure they continue to function with TLS 1.0 / 1.1 disabled and only TLS 1.2 enabled. It is likely that updates will need to be installed for both VMware and third party products to versions which support TLS 1.0 / 1.1 disablement and utilize TLS 1.2 BEFORE attempting to disable TLS 1.0 or TLS 1.1.

Below are links to the official VMware kb articles and the location where you can download the scripts for either the Windows vCenter or the vCenter Appliance. The scripts are needed to change the TLS Configuration on vCenter, ESXi hosts and VUM. Other VMware products have their own kb article on how to manually change the TLS Configuration.

Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796)

vSphere 6.5:
Managing TLS protocol configuration for vSphere 6.5 (2147469)

Link to download TLS configuration script for vSphere 6.5:

vSphere 6.0 Update 3:
Managing TLS protocol configuration for vSphere 6.0 Update 3 (2148819)

Link to download TLS configuration script for vSphere 6.0 Update 3:

Thursday, January 21, 2016

Planning for VMtools after vSphere 5.5 U3b and 6.0 U1b updates

In September 2015, VMware announced the separation of the VMtools development and release cycles from vSphere releases.

Recently there were two releases, 5.5 U3b & 6.0 U1b which included VMtools v10.0, but a newer version, 10.0.5, is out which does contain some fixes.

As you plan your upgrades to either 5.5 U3b or 6.0 U1b and are looking to upgrade the VMtools package, I would take a close look at v10.0.5 and make it your standard version.

NOTE: This does not apply to Horizon View environments. As noted in a previous post, VMtools v10 are currently not supported on View environments.

Below is a link to the VMtools 10.0.5 download page where to find the latest version of the VMtools: 

Here are links to a couple blog posts related to the separation of release cycles for VMtools from vSphere.

VMware Tools 10.0.0 Released

VMware Tools Lifecycle: Why Tools Can Drive You Crazy (and How to Avoid it!)

VMtools vulnerability

VMware is currently tracking an emergent issue with a vulnerability present in the VMware Tools “Shared Folders” (HGFS) feature running on Microsoft Windows. Successful exploitation could lead to an escalation of privilege in the guest OS.

Products affected: ESXi 5.0, 5.1, 5.5, 6.0, Workstation (prior to 11.1.2), VMware Player (prior to 7.1.2) and Fusion (prior to 7.1.2).

The Common Vulnerabilities and Exposures (CVE) Identifier is CVE-2015-6933

Solution: Removing the “Shared Folders” feature from previously installed VMware Tools will remove the possibility of exploitation. Furthermore, apply the recommended patches for your product:

NOTE: VMTools installations initiated via vSphere are not affected unless a Complete feature set was specified during the initial installation.

Thursday, January 7, 2016

vSphere 6.0 U1b released - includes changes to TLS

On January 7, 2016, VMware released minor updates to vCenter and ESXi, v6.0 U1b. These updates are an important first step towards removing TLS 1.0 to meet regulatory and security requirements such as PCI DSS 3.1.

The 6.0 U1b updates add support for TLS versions 1.1 and 1.2 for most of the vSphere components without breaking the previously supported compatibility/interoperability.

There are some vSphere components that still support only TLS version 1.0 listed below:
vSphere Client
Virtual SAN Observer on vCenter Server Appliance (vCSA)
Syslog on vCSA
Auto Deploy on vCSA
Auto Deploy/iPXE

Once the patches are applied to vCenter Server and ESXi hosts, they will support all TLS versions, 1.0, 1.1 and 1.2 with the exception of the components listed above. See Knowledge base article 2136185 for the list of protocol versions supported on different services that have been tested for compatibility support and interoperability.

When planning out upgrades to your vSphere 6 environment, it is important to follow Knowledgebase article 2109760, Update sequence for vSphere 6.0 and its compatible VMware products, the VMware Product Interoperability Matrix and the information in the release notes.

Below are links to the release notes:
VMware vCenter Server 6.0 U1b - find the release notes here
VMware ESXi 6.0 U1b - find the release notes here

Did you know that PCI DSS 3.1 implementation date has been delayed?

If you work for a company that allows customers to pay directly using either a debit or credit card, you are likely required to follow Payment Card Industry (PCI) Data Security Standards (DSS).

The latest version of these standards, PCI-DSS 3.1, were released back in April 2015 and had two specific requirements for changes to communication protocols, SSL v3 and TLS 1.0, which were to be removed by June 30, 2016.

Back on December 18th, the PCI Security Standards Counsil announced it was delaying the requirement to meet the new standards by two (2) years to June 30, 2018. The announcement information can be found here and here.

If you're interested in learning more about PCI-DSS 3.1, you can review this document or research additional information on the PCI Security Standards Council site.

Monday, January 4, 2016

Caution - proper planning needed when upgrading vSphere to 5.5 U3b in environments with SRM and Horizon View

Back on December 8, 2015, VMware released v5.5U3b for vCenter and ESXi. Typically, such minor updates are fairly straight forward. However, this update includes a fairly significant change which requires more thought and planning than most.

As part of this update, the SSL v3 protocol is being disabled by DEFAULT upon installation which could have a significant impact on your environment depending on the installation/upgrade sequence you follow and the potential VMware and 3rd party products that still rely on SSL v3 in your environment.

Two such products from VMware that could be affected include Site Recovery Manager (SRM) and Horizon View.

If you have SRM running in your environment, you need to make sure you have installed and are running SRM v5.8.1 or greater BEFORE you upgrade to vSphere v5.5U3b. SRM v5.8.1 and greater do not rely on SSL v3 and thus will not be affected by the upgrade where earlier versions of SRM do require SSL v3.

** Update ** 1/8/2016
KB  2142487 has been published with additional information about SRM requirements.

Horizon View
If you have Horizon View running in your environment, you need to make sure you have installed and are running View v6.2 or greater BEFORE you upgrade to vSphere v5.5U3b.  View v6.2 and greater do not rely on SSL v3 and thus will not be affected by the upgrade where earlier versions of View do require SSL v3.

Also, as part of vSphere 5.5U3b, the version of VMware tools included with the release is v10.0 which is not supported on any version of Horizon View currently. See the Interoperability Matrix information below.

3rd Party products
If you have 3rd party products which connect to either vCenter or ESXi hosts directly, you should confirm if the version running in your environment requires SSL v3 before upgrading to v5.5U3b.

You may notice the Interoperability Matrix shows VMware Tools (downloadable only) and according to the v5.5U3b release notes, VMtools v10.0 is included with this release. So, it's important to not upgrade VMtools within your Horizon View environment to any v10.0 at this time.