Open-VM-Tools openSSL 1.0.1p

In my original description the Tenable paths shown were for the DROWN vulnerability. below is reported for SWEET32

OpenSSL 1.0.1 < 1.0.1u Multiple Vulnerabilities (SWEET32)
VULNERABILITIES

CRITICAL
PLUGIN ID93814

Description
According to its banner, the remote host is running a version of OpenSSL 1.0.1 prior to 1.0.1u. It is, therefore, affected by the following vulnerabilities :

  - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2016-2177)

  - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations.
An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178)

  - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory.
(CVE-2016-2179)

  - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the 'openssl ts' command, to cause denial of service or to disclose sensitive information.
(CVE-2016-2180)

  - A denial of service vulnerability exists in the Anti-Replay feature in the DTLS implementation due to improper handling of epoch sequence numbers in records.
An unauthenticated, remote attacker can exploit this, via spoofed DTLS records, to cause legitimate packets to be dropped. (CVE-2016-2181)

  - An overflow condition exists in the BN_bn2dec() function in bn_print.c due to improper validation of user-supplied input when handling BIGNUM values. An unauthenticated, remote attacker can exploit this to crash the process. (CVE-2016-2182)

  - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session.
(CVE-2016-2183)

  - A flaw exists in the tls_decrypt_ticket() function in t1_lib.c due to improper handling of ticket HMAC digests. An unauthenticated, remote attacker can exploit this, via a ticket that is too short, to crash the process, resulting in a denial of service.
(CVE-2016-6302)

  - An integer overflow condition exists in the MDC2_Update() function in mdc2dgst.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or possibly the execution of arbitrary code.
(CVE-2016-6303)

  - A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition.
(CVE-2016-6304)

  - An out-of-bounds read error exists in the certificate parser that allows an unauthenticated, remote attacker to cause a denial of service via crafted certificate operations. (CVE-2016-6306)

  - A flaw exists in the GOST ciphersuites due to the use of long-term keys to establish an encrypted connection. A man-in-the-middle attacker can exploit this, via a Key Compromise Impersonation (KCI) attack, to impersonate the server.

More
Solution
Upgrade to OpenSSL version 1.0.1u or later.

Note that the GOST ciphersuites vulnerability is not yet fixed by the vendor in an official release; however, a patch for the issue has been committed to the OpenSSL github repository.

See Also
https://www.openssl.org/news/secadv/20160922.txt
http://www.nessus.org/u?09b29b30
https://sweet32.info/
https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Path : /usr/lib/vmware-tools/lib32/libcrypto.so.1.0.1/libcrypto.so.1.0.1
  Reported version : 1.0.1p
  Fixed version : 1.0.1u

  Path : /usr/lib/vmware-tools/lib32/libssl.so.1.0.1/libssl.so.1.0.1
  Reported version : 1.0.1p
  Fixed version : 1.0.1u

  Path : /usr/lib/vmware-tools/lib64/libcrypto.so.1.0.1/libcrypto.so.1.0.1
  Reported version : 1.0.1p
  Fixed version : 1.0.1u

  Path : /usr/lib/vmware-tools/lib64/libssl.so.1.0.1/libssl.so.1.0.1
  Reported version : 1.0.1p
  Fixed version : 1.0.1u

Currently for focal:
https://packages.ubuntu.com/focal/openssl

Thanks Bernard,

But unfortunately, the link provided throws an Internal Server, 500 error.

https://packages.ubuntu.com/focal/openssl
Package: openssl (1.1.1f-1ubuntu2.22 and others) [security]
Repository Server has been throwing some error codes every so often.

The files like /usr/lib/vmware-tools/lib32/libcrypto.so.1.0.1/libcrypto.so.1.0.1 are not part of Ubuntu, but seem to stem from some foreign (and probably outdated) version of vmware-tools.

How did you install vmware-tools on your system?

Hi Manfred,
It's part of Ubuntu and maintained by the OS not vmware directly.
Anyway 1st thing I tried to do was preform an upgrade of open-vm-tools and get the below error, as mentioned in the description.

xxxxxxxx@XXXXXXXXXXX:/usr/lib/vmware-tools/lib64# apt update && sudo apt -y install open-vm-tools
Hit:1 http://security.ubuntu.com/ubuntu focal-security InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Fetched 114 kB in 2s (54.5 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree
Reading state information... Done
open-vm-tools is already the newest version (2:11.3.0-2ubuntu0~ubuntu20.04.7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

"Anyway 1st thing I tried to do was preform an upgrade of open-vm-tools and get the below error"

sorry meant to say, "message" and not "error"

It seems that there is is a confusion between the directories .../vmware-tools/... and .../open-vm-tools/...

What output do you receive for the command

dpkg -S libcrypto.so.1.0.1

and which "below message" did you get in comment #7?

Hi Manfred, Bernard

@Manfred, this was the message I was referring to, which sent me down the downward spiral of confusion..
 ------------------------------------------------------------------------------------------------------------------------------
"open-vm-tools is already the newest version (2:11.3.0-2ubuntu0~ubuntu20.04.7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."
 ------------------------------------------------------------------------------------------------------------------------------

Thanks for the replies. Comment #5 made me look again.

I've solved the issue with the help of the comments which made me look closely again. Yes, you are right the two directories are different. VMWare Tools installs to the .../vmware-tools /... directory. I confused the two.

The open source app that comes with the OS is .../open-vm-tools/...

A while back both tools were installed from both UBUNTU and VMware on these servers. I thought there was only one installed, causing the confusion. What I've now done is uninstalled the VMWare Tools version, which was indeed old, leaving just the open-vm-tools copy, which is current.

Reran the remediation scan and the servers are no longer reporting a vulnerability for openssl.

Again thanks for the help and have marked this as answered. Comment #5 made me look again.