lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 16 Jun 2016 21:19:39 +0000
From: Nate Kettlewell <nate@...thsecurity.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] CVE-2016-5709 - Use of Weak Encryption Algorithm in Solarwinds
 Virtualization Manager

Product: Solarwinds Virtualization Manager

Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1

Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016

Vulnerability Type: Security Misconfiguration
CVE Reference: CVE-2016-5709
Risk Level: High
CVSSv3 Base Score: 6.0 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
Solution Status: Solution Available

Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

Depth Security discovered a vulnerability in Solarwinds Virtualization Manager appliance. 
This attack requires a user to have an operating system shell with superuser privilges on the vulnerable appliance.

1) Use of a weak encryption algorithm in Solarwinds Virtualization Manager: CVE-2016-5709

The vulnerability exists due to the use of a weak encryption algorithm in the /etc/shadow file.
A local attacker in possession of a superuser operating system shell can easily crack the passwords of other system users.

-----------------------------------------------------------------------------------------------

Solution:

Solarwinds has released a hotfix to remediate this vulnerability on existing installations. 

This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances.

-----------------------------------------------------------------------------------------------

Proof of Concept:

An attacker can dump the contents of the /etc/shadow file using the following command:

cat /etc/passwd

The output of this command can then be used with many popular password cracking programs to obtain the cleartext passwords of other operating system users.

-----------------------------------------------------------------------------------------------

References:

[1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ