CrowdStrike Heartbleed Scanner finds my vulnerable VMware ESXi 5.5 U1 host, I patch, then rescan

Posted by Paul Braren on Apr 23 2014 in
  • ESXi
  • Network
  • Security

    • Yes, Heartbleed is still hanging in there for the IT pro, continuing to demand our attention. Earlier today, during a long drive to a virtualization user group meeting here in New Hampshire, I had the opportunity to catch up on some podcasts, including yesterday's Security Now Podcast 452. Steve Gibson excitedly shares a nice gem he's found to scan your network for vulnerable hosts, discussed at this spot in the podcast. In a video produced right from my hotel room tonight, I demonstrate the use of this simple "no install required" Windows executable, created by Robin Keier, announced last week here.

    Download CrowdStrike Heartbleed Scanner:

    CrowdStrike-Heartbleed-Scanner

    Yeah, I just couldn't wait til I'm home tomorrow to try this, so I simply and securely VPN'd to my home network, and tada, I was able to run the scan just fine, just as if I was actually on my home network, even though it's 160 miles away, since I set my VPN to have no port blocking active for private network traffic.

    In the video walk-through below, you'll actually see that scan of my entire home network, successfully identifying my unpatched ESXi 5.5 U1 host as "vulnerable." I then patch that host, reboot it, and wrap up with a clean re-run of the Heartbleed Scanner. Nice! A nice new tool to keep, in my virtual tool bag.

    More details at:

    CrowdStrike offers new free Heartbleed Scanner tool by Tony Bradley Apr 23 2014, and

    OpenSSL Heartbleed patches for ESXi 5.5 are available now! by Andreas Peetz on Apr 19 2014,

    where Andreas kindly documents the first step to remediate the host (downloads all the latest VIBs):

    Enable SSH access on your host, log in to it (e.g. using putty) and run the following commands:

    # open firewall for outgoing http requests:
esxcli network firewall ruleset set -e true -r httpClient
# Install the ESXi 5.5 U1 Heartbleed Imageprofile from the VMware Online depot
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard
# Reboot your host
reboot

    followed by the revoke/reissue of the certificate, topped off with a change of the root password. It's all explained in detail by VMware in KB2076665:
    Resolving OpenSSL Heartbleed for ESXi 5.5 - CVE-2014-0160 (2076665)

    Hope you enjoy the video, and please drop a comment below, no login required, and let us all know your experience with CrowdStrike Heartbleed Scanner.

    See also:

    As webmaster, how I cleaned up after Heartbleed, including SSL certificate handling by Paul Braren on Apr 16 2014.

    TinkerTry - PCs, EVs, home tech, efficiency and more, including virtualization. My opinions here, not my employer's.

    Paul Braren, MCSE in 1998, VCP #2681 in 2005, vExpert 2014 to 2024, Veeam Vanguard Emeritus, 2015 to 2019.

    Support TinkerTry

    PayPal | Patreon | VMware Store

    After 6 successful years testing then shipping well over 1,000 Xeon D Bundles, Wiredzone had to stop selling them in mid-2021 due to cost, supply, and logistics challenges. So far, Xeon D-1700/2700 (Ice Lake D) was a minor refresh for 2023, with Xeon D-1800/2800 (Granite Rapids D) refresh looking a little better for 2024. More cores, but still just PCIe Gen4 and DDR4. Looking ahead, I'm glad it's Pat Gelsinger at Intel's helm. I'm also grateful to have had the honor of working at VMware when Pat was the CIO there. I'll leave it at that, given the whole Broadcom thing.

    Easily update VMware ESXi at TinkerTry.com/easy-update-to-latest-esxi