Title

VirtualCenter communications to the ESX Server are unencrypted. (Cat II impact)

Discussion

User sessions with the ESX Server should be encrypted since transmitting data in plaintext may be viewed as it travels through the network. User sessions may be initiated from the VI client, Web Access, or through VirtualCenter. To encrypt session data, the sending component, such as a gateway or redirector, applies ciphers to alter the data before transmitting it. The receiving component uses a key to decrypt the data, returning it to its original form. To ensure the protection of the data transmitted to and from external network connections, ESX Server uses the 256-bit AES block encryption. ESX Server also uses 1024-bit RSA for key exchange. These encryption algorithms are the default for VI Client, VI Web Access, VirtualCenter sessions.

Check Content

On the ESX Server service console perform the following: # grep ssl /etc/vmware/hostd/config.xml (ssl) (privatekey)/etc/vmware/ssl/DoD Key(/privatekey) (certificate)/etc/vmware/ssl/DoD Cert(/certificate) (/ssl) If you do not see the DoD key and certificate listed between the SSL tags or the lines are commented out, this is a finding.

Fix Text

Encrypt all VirtualCenter sessions with ESX Servers.

Additional Identifiers

Rule ID: SV-16798r1_rule

Vulnerability ID: V-15857

Group Title: VirtualCenter to ESX Server comm. is not encyrpted

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.