Disabling weak ciphers in vSphere Replication (Port 8123,32032)

Products

VMware vSphere ESXi

Issue/Introduction

The security tool found vSphere Replication 8.8 or higher utilized weak ciphers.

Environment

VMware vSphere Replication 8.8.x

Ports : 8123,32032

Cause

Weak ciphers are encryption algorithms vulnerable to attacks, often due to insufficient key lengths. Specifically, older TLS ciphers use RSA keys for both encryption and identity verification during the TLS handshake. If an RSA private key is compromised, past communications can be decrypted. Modern ciphers, such as those using Diffie-Hellman with ephemeral keys (DHE, ECDHE), mitigate this risk by establishing a one-time key, which enhances security even if the main key is compromised.

Resolution

Identifying Weak Ciphers

Weak ciphers are defined as:

Deprecated: Algorithms that are still allowed but carry some risk.
Disallowed: Algorithms or key lengths that are no longer permitted.

To address this, you need to disallow deprecated or disallowed ciphers.

Determine Current Ciphers

Use the nmap command to list the current ciphers supported by vSphere Replication on port 8123:

nmap -sV --script ssl-enum-ciphers -p 8123 127.0.0.1

Example output:

root [ /home/admin ]# nmap -sV --script ssl-enum-ciphers -p 8123 127.0.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2024-05-18 20:06 IST
Nmap scan report for localhost.localdomain (127.0.0.1)
Host is up (0.000046s latency).

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.02 seconds

Identify weak ciphers from the output that are generating alerts, such as:
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
Update Cipher Configuration

To disable weak ciphers on port 8123, follow these steps:
- Snapshot: Take a snapshot of the vSphere Replication appliance.
- Access: Log in to the vSphere Replication Appliance and vSphere Replication Server using PuTTY.
- Edit Configuration:
  1. Open the file /etc/vmware/hbrsrv.xml in an editor.
  2. Locate the <vmacore> tag and add the following lines to disable the identified weak ciphers:
    
    <ssl> <cipherList>!aNULL:!AES256-SHA256:!RSA+AESGCM:ECDHE+AES:AES</cipherList> </ssl>
  3. Save the file.
  4. Restart the service:
    
    systemctl stop hbrsrv systemctl start hbrsrv
- Explanation of Cipher List:
  - !aNULL: Excludes ciphers without authentication.
  - !AES256-SHA256: Excludes the AES256-SHA256 cipher suite.
  - !RSA+AESGCM: Excludes RSA key exchange with AES in Galois/Counter Mode (GCM).
  - ECDHE+AES: Includes ciphers with Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange and AES encryption.
  - AES: Includes all ciphers using AES encryption.

Additional Information

Disabling static ciphers for TLS in ESXi

Disabling weak ciphers in vSphere Replication or Site Recovery Manager appliance Port 5480 and 443