BugZero | VMware BugID 1018510 - Ciphers supported on ESX/ESXi and vCenter Server

VMware - Defect ID: 1018510

Ciphers supported on ESX/ESXi and vCenter Server

VMware - Defect ID: 1018510

Ciphers supported on ESX/ESXi and vCenter Server

Last updated on 8/6/2021

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

No defect details.

Details

Weak ciphers are defined based on the number of bits and techniques used for encryption. To detect supported ciphers on a specific port on ESX/ESXi hosts or on vCenter Server/vCenter Server Appliances, you can use certain open source tools such as OpenSSL by running the openssl s_client -cipher LOW -connect hostname:port command. In addition, you can use vulnerability scanners like Nessus to check SSL services on arbitrary ports. Weak SSL encryption is detected on ESX/ESXi versions 4.0.x, 4.1 and ESXi version 5.x. However, by default both the vCenter Server and ESX hosts select the highest grade SSL or TLS cipher supported, for example, AES256-SHA. Weak ciphers in VMware environments that result in the following situations: A security scan of VMware environment shows that weak SSL ciphers are detected. ESX or ESXi hosts fail a PCI scan due to weak ciphers being enabled. An audit of VMware environment discovers that the Virtual Center service supports a number of weak SSL ciphers. Nessus scans identify ESX hosts as supporting weak SSL ciphers.

Solution

The following tables list the supported ciphers and their ports on ESX/ESXi and vCenter Server. These ciphers are based off of the VMware-built OpenSSL package that is shipped with vCenter Server (C:\Program Files\VMware\vCenter Server\openSSL\openssl.exe in vSphere 6.0), vCenter Server Appliance (/usr/lib/vmware-openSSL/openssl in vSphere 6.0), and ESXi (/bin/openssl). VMware does not leverage the OpenSSL package shipped natively with SLES, and does not support individual cipher disablement with the below products. ESX/ESXi Supported Ciphers RC4-MD5 RC4-SHA AES128-SHA DES-CBC3-SHA Suite B 1,2Port 443 ESX 4.0 Supported Supported Supported Supported Not SupportedESX 4.0 Update Supported Supported Supported Supported Not SupportedESX 4.1 Supported Supported Supported Supported Not SupportedESXi 5.x Not Supported Not Supported Supported Supported Supported 2ESXi 6.0Not SupportedNot SupportedSupportedNot SupportedSupported 2ESXi 6.5Not SupportedNot SupportedSupportedNot SupportedSupported 2ESXi 6.7Not SupportedNot SupportedSupportedNot SupportedSupported 2 vCenter Server Supported Ciphers RC4-MD5 RC4-SHA DES-CBC3-SHA AES128-SHA EDH-RSA-DES-CBC3-SHA Suite B 1,2Port 443 vCenter Server 4.0 Supported Supported Supported Supported Supported Not SupportedvCenter Server 4.0 Update Supported Supported Supported Supported Supported Not SupportedvCenter Server 4.1 Supported Supported Supported Supported Supported Not SupportedvCenter Server 5.x Not Supported Not Supported Supported Supported Not Supported Not SupportedvCenter Server 6.0Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2vCenter Server 6.5Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2vCenter Server 6.7Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2Port 9087 and 8443 vCenter Server 4.0 Supported Supported Supported Not Supported Supported Not SupportedvCenter Server 4.0 Update Supported Supported Supported Not Supported Supported Not SupportedvCenter Server 4.1 Supported Supported Supported Not Supported Supported Not SupportedPort 9443 vCenter Server 5.1 Not Supported Not Supported Supported Supported Supported Not SupportedvCenter Server 5.5 Not Supported Not Supported Supported Supported Supported Not SupportedvCenter Server 6.0Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2vCenter Server 6.5Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2vCenter Server 6.7Not SupportedNot SupportedNot SupportedSupportedNot SupportedSupported 2 Notes: For more information about cipher Suite B, see the National Security Agency article Suite B Cryptography and NSA Suite B Cryptography. The Suite B cipher suite includes: ECDHE-RSA-AES128-GCM-SHA256; ECDHE-ECDSA-AES128-GCM-SHA256; ECDHE-RSA-AES128-SHA256; ECDHE-ECDSA-AES128-SHA256; ECDHE-RSA-AES128-SHA; ECDHE-ECDSA-AES128-SHA; DHE-DSS-AES128-GCM-SHA256; DHE-RSA-AES128-GCM-SHA256; ECDH-RSA-AES128-GCM-SHA256; ECDH-ECDSA-AES128-GCM-SHA256; ECDH-RSA-AES128-SHA256; ECDH-ECDSA-AES128-SHA256; ECDH-RSA-AES128-SHA; ECDH-ECDSA-AES128-SHA; AES128-GCM-SHA256; AES128-SHA256; ECDHE-RSA-AES256-GCM-SHA384; ECDHE-ECDSA-AES256-GCM-SHA384; ECDHE-RSA-AES256-SHA384; ECDHE-ECDSA-AES256-SHA384; ECDHE-RSA-AES256-SHA; ECDHE-ECDSA-AES256-SHA; ECDH-RSA-AES256-GCM-SHA384; ECDH-ECDSA-AES256-GCM-SHA384; ECDH-RSA-AES256-SHA384; ECDH-ECDSA-AES256-SHA384; ECDH-RSA-AES256-SHA; ECDH-ECDSA-AES256-SHA; AES256-GCM-SHA384; AES256-SHA256 For related information, see VirtualCenter Server 2.5 Update 4 and later uses high-security SSL ciphers (1009408)vv and ESXi 5.0 disables nonsecure ciphers in Internet Explorer 6 (2003464).For vSphere 7.0 information, see VMware vSphere 7.0 Default SSL/TLS Cipher Suites Ensure weak SSL encryption is not detected The best practices to mitigate the risk of weak SSL encryption being detected on ESX 3.0.x, 4.0.x, 4.1 as well as ESXi 4.1, 5.x and 6.0 are: Ensure that ESX hosts are not directly accessible by Internet and are protected by firewalls. Ensure that browsers are configured to not use weak ciphers to connect with ESX/ESXi hosts. Additional Information For translated versions of this article, see: 日本語: ESX/ESXi および vCenter Server でサポートされる暗号 (2097063)简体中文: ESX/ESXi 和 vCenter Server 上支持的密码 (2102396)

Original Vendor Announcement

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

VMware - Defect ID: 1018510

Ciphers supported on ESX/ESXi and vCenter Server

VMware - Defect ID: 1018510

Ciphers supported on ESX/ESXi and vCenter Server

Last updated on 8/6/2021

Vendor details

Vendor details

Description

Details

Solution

Links

Top VMware defects by risk score

Ready to prevent the next vendor outage?