4 Replies Latest reply on Oct 29, 2014 4:55 PM by dsbalcau

    virtualization manager and security scans

    redhawk15

      Good morning all. I am responsible for helping maintain our solarwinds environment and have been approaced by our information security team regarding solarwinds virtualizaition manager. They particularly approached me in regards to the amount of vulnerabilities that showed up during our last scan.  is anyone out there having the same issue and if so what have you done to mitigate either the security scan or virtualization manager?

        • Re: virtualization manager and security scans
          chrispaap

          Good Morning.  To answer your question we do get reports of security vulnerabilities with the most recent being ShellShock (see thwack post ShellShock Vulnerability and Solarwinds Products) and we evaluate our susceptibility to those vulnerabilities. If a zero day vulnerability is found to be exploitable then we start testing patches and deployment strategies that will guarantee the patch will not break the VMAN appliance or prevent future upgrades, if implemented out of band of our normal release cycle. If an exploit is identified but its risk is mitigated on the VMAN appliance then we generally plan to implement the patch on the next release.

           

          • Re: virtualization manager and security scans
            level0

            To add to the previous post, automated security scanners usually do not test the vulnerability itself, just the versions of the packages installed on the system. As a result, they report vulnerabilities which cannot be exploited because the vulnerable feature was disabled, high-grade ciphers are enforced in the settings, the vulnerability is only exploitable on Windows or there is simply no attack vector through which an attacker could exploit a weakness (you don't have to lock your car when it's in a safe garage), just to give you a few examples.

              • Re: virtualization manager and security scans
                redhawk15

                ok so if we have the vman vm running and our security scan tool calls out 130+ vulnerabilities, that are on the vman vm. option 1 would be to remove the vman vm from the scan...( the vman vm itself is running on our interior network and is behind at least 2 fw and a dmz). what would option , option3,  etc be?

                  • Re: virtualization manager and security scans
                    dsbalcau

                    Option 3 - Make sure you are on VMAN 6.1.1. We updated a bunch of the bundled software on the appliance in that release that addressed almost all critical vulnerabilities that were found by a Nessus scan. Any remaining vulnerabilities fell into the previously mentioned "unexploitable" category. We run Nessus internally before release and log issues as we find them, so always make sure you are on the latest version.