VMware vCenter Server Appliance workaround for CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Products

VMware vCenter Server

Issue/Introduction

This article provides a workaround for the security issue CVE-2015-7547 for certain VMware vCenter Server Appliance versions. The workaround for this issue is to create firewall rules on a specific VMware vCenter Server Appliance.

Warning: This workaround is applicable only to VMware vCenter Server Appliance. Do not attempt to apply these steps on other VMware products, and do not use this mitigation if you are using EDNS0 or DNSSEC on your virtual appliance (EDNS0 and DNSSEC are not supported in VMware vCenter Server Appliance).

The following versions of VMware vCenter Server Appliance are impacted with the CVE-2015-7547 issue:

VMware vCenter Server Appliance 5.0
VMware vCenter Server Appliance 5.1
VMware vCenter Server Appliance 5.5
VMware vCenter Server Appliance 6.0

Note: After performing a major or minor or patch upgrade of VMware vCenter Server Appliance, the iptables rules do not persist.
Caution: When you create firewall using the script, you must run the script only once. Running the script multiple times will create duplicate entries.

Environment

VMware vCenter Server Appliance 5.5.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 5.1.x
VMware vCenter Server Appliance 5.0.x

Resolution

This issue is resolved in the following releases available at VMware Downloads:

vCenter Server 5.0 Update 3f or later. For more information, see the vCenter Server 5.0 Update 3f Release Notes.
vCenter Server 5.1 Update 3c or later. For more information, see the vCenter Server 5.1 Update 3c Release Notes.
vCenter Server 5.5 Update 3c or later. For more information, see the vCenter Server 5.5 Update 3c Release Notes.
vCenter Server 6.0 Update 2 or later. For more information, see the vCenter Server 6.0 Update 2 Release Notes.

To workaround this issue, perform one of the following solutions:

Creating Firewall rules in VMware vCenter Server Appliance Using Script (Recommended)

Note: Using the scripted method will create persistent rules in the firewall that will be maintained after appliance reboots.

To create the workaround firewall rules in VMware vCenter Server Appliance using script follow these steps:

Download the vcsa_iptables_scripts-new.zip file attached to the KB article.
Unzip the contents of the vcsa_iptables_scripts-new.zip file.
Open a console or SSH connection to the VMware vCenter Server Appliance and login as root user.
Copy and provide permissions for the script using the following command:
chmod 755 add_iptables_settings.sh
Execute the script using the following command:
./add_iptables_settings.sh
or
sh add_iptables_settings.sh
Use the following iptables command to display and confirm the new firewall rules for IPV4 and IPV6:
iptables -nL
Note:When you run though the scripts iptable rules are persists across reboots.
All dropped packets are logged in /var/log/firewall (depending on your virtual appliance) and therefore this file can be reviewed for troubleshooting purposes.
For example, the dropped packet similar to the following might be displayed:
2016-02-19T01:43:20+00:00 localhost kernel: [24539.930406] IN=eth0 OUT= MAC=02:01:27:cd:a5:a1:00:2a:6a:5b:33:3c:08:00 SRC=10.117.0.1 DST=10.xxx.yy.zzz LEN=4539 TOS=0x00 PREC=0x00 TTL=55 ID=0 PROTO=UDP SPT=53 DPT=33834 LEN=4519

Note: The firewall rules need to be removed after you updrade to newer versions.

Removing Firewall Rules in VMware vCenter Server Appliance Using Script

To remove the workaround firewall rules in VMware vCenter Server Appliance using script follow these steps:

Download the vcsa_iptables_scripts-new.zip file attached to the KB article.
Unzip the contents of the vcsa_iptables_scripts-new.zip file.
Open a console or SSH connection to the VMware vCenter Server Appliance and login as root user.
Copy and provide permission for script using the following command:
chmod 755 remove_iptables_settings.sh
Execute the script using the following command:
./remove_iptables_settings.sh
or
sh remove_iptables_settings.sh
Use the following iptables command to display and confirm that the firewall rules have been removed for IPV4 and IPV6:
iptables -nL

Note:When you run though the scripts iptable rules are persists across reboots.

MD5 checksums for files attached are as follows:

md5 checksum forvcsa_iptables_scripts-new.zip file - 245E8FA48B890B06ED0666B0D316FBE3

md5 checksum for add_iptables_settings.sh - 971d468369420556eff8eb193286b4d4

md5 checksum for remove_iptables_settings.sh - 99672b3577734800aaea32a3609c0043

Manually Creating Firewall Rules in VMware vCenter Server Appliance

Note: Using the manual method will create non-persistent rules in the firewall that will not be maintained after appliance reboots. This method should only be used when the patch cannot be applied to the appliance.

To create the workaround firewall rules in VMware vCenter Server Appliance follow these steps:

Open a console or SSH connection to the VMware vCenter Server Appliance and login as root user.

Note: If you are using vSphere 6.0, you will need to log into the BASH shell. Use the following commands:
1. Run this command:
  
  shell.set --enabled true
2. Run the shell command.
Use the iptable command below to check the current firewall rules for IPV4 and IPV6:

iptables -nL

For example:

iptables -nL

Chain INPUT (policy DROP)
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535 LOG flags 0 level 4
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
inbound all -- 0.0.0.0/0 0.0.0.0/0
port_filter all -- 0.0.0.0/0 0.0.0.0/0
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
DROP udplite -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5 LOG flags 0 level 4 prefix `IPfilter Dropped: '
As a workaround to the vulnerability add the below firewall rules in the iptables using these commands:

For IPv4 Tables

iptables -I INPUT -p udp --sport 53 -m length --length 2049: -j DROP
iptables -I INPUT -p udp --sport 53 -m length --length 2049: -j LOG
iptables -I INPUT -p tcp --sport 53 -m length --length 2049: -j DROP
iptables -I INPUT -p tcp --sport 53 -m length --length 2049: -j LOG

For IPv6 Table

ip6tables -I INPUT -p udp --sport 53 -m length --length 2049: -j DROP
ip6tables -I INPUT -p udp --sport 53 -m length --length 2049: -j LOG
ip6tables -I INPUT -p tcp --sport 53 -m length --length 2049: -j DROP
ip6tables -I INPUT -p tcp --sport 53 -m length --length 2049: -j LOG
Once completed, ensure that the new firewall rules are present:

iptables -nL

For example:
iptables -nL Chain INPUT (policy DROP) target prot opt source destination LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535 LOG flags 0 level 4 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535 LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535 LOG flags 0 level 4 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535

Warning: The IP tables settings mentioned above will not be persisted across vCenter Server Appliance reboots.

Removing Firewall Rules in VMware vCenter Server Appliance:

To remove the workaround firewall rules in VMware vCenter Server Appliance follow these steps:

Open a console or SSH connection to the VMware vCenter Server Appliance and login as root user.

Note: If you are using vSphere 6.0, you will need to log into the BASH shell. Use the following commands:
1. Run this command:
  
  shell.set --enabled true
2. Run the shell command.
Use this command below to check the current firewall rules for IPV4 and IPV6:

iptables -nL

For Example:

Chain INPUT (policy DROP)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535 LOG flags 0 level 4
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53 length 2049:65535
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535 LOG flags 0 level 4
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 length 2049:65535
Remove the workaround firewall rules using these commands:

For IPv4 Tables

iptables -D INPUT -p udp --sport 53 -m length --length 2049: -j LOG
iptables -D INPUT -p udp --sport 53 -m length --length 2049: -j DROP
iptables -D INPUT -p tcp --sport 53 -m length --length 2049: -j LOG
iptables -D INPUT -p tcp --sport 53 -m length --length 2049: -j DROPFor IPv6 Tableip6tables -D INPUT -p udp --sport 53 -m length --length 2049: -j LOG
ip6tables -D INPUT -p udp --sport 53 -m length --length 2049: -j DROP
ip6tables -D INPUT -p tcp --sport 53 -m length --length 2049: -j LOG
ip6tables -D INPUT -p tcp --sport 53 -m length --length 2049: -j DROP
Once completed, ensure that the firewall rules have been properly removed via the following command:

iptables -nL

For up-to-date information, click Subscribe to Document in the actions section and VMware Security Advisories.

Attachments

vcsa_iptables_scripts-new.zip get_app