lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <3DA9C302-A225-4281-9B73-782E649FB47A@thrashyour.com>
Date: Thu, 4 Feb 2016 19:04:22 -0800
From: John Kinsella <jlk@...ashyour.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: CVE-2015-3252: Apache CloudStack VNC authentication issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2015-3252: Apache CloudStack VNC authentication issue

CVSS v2:
4.3 (AV:N/AC:H/Au:M/C:P/I:P/A:P)

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.4.4, 4.5.1

Description:
Apache CloudStack sets a VNC password unique to each KVM virtual
machine under management. Upon migrating a VM from one host to
another, the VNC password is no longer set in KVM on the new host.

To leverage this issue, an attacker would need to have network
access to a CloudStack host to be able to connect via VNC directly.

Mitigation:
Users of Apache CloudStack and derivatives should ensure their hosts
are behind network firewalls, and should update to least version
4.5.2 or 4.6.0, depending on which tree is being used.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJWs/dCAAoJELAo8zo1KBbtsX8QAMf2s9OIY3FTbMbTIo/LBmLa
rOOE46SBcmypN1TCHKW0K9etymieI58CPX9LHNdtZcAMa1khl4uo/Euz0wGu0zZZ
awXahXEKUkLSTQDDYJP+8TmKvnIan/mYXRvPEHi2bMCtQ+CjY5qvcge9wXpFDKty
B3LP9n/zYDkQCvBLmjPuqIM+B4JXT9q/e3LsVQHrjhBxheY26CMrSRZ/aLxmzxbh
SSNs4oMZhLEPHoSt/lWsHYd/HxJ/eEjyQunP0UpO5d5/RZypYllPHcbaFPqtC4uK
55VB3JGyPiSEpxbbWEAqrPlOwCU9yNhRXnjdf3gc360NtdjncY1R49+VvUc6C+6u
FqPmy5LFja5uQ1w6/VDdwoT9GeBL9rooMFsLgRpv+FCKPYEtvvIbvot45xA5TCAi
MoU7RjYZoWHTmXLYcQOSSzFnySjLVqdrIL6fgu4gpehB/Od+sV+dwaKM/l03Ml8S
mTerjUNkG2e+pNuWk703aLv4YrKv63T2ga8Nli00BYSyzsxDupd+0XmBzvsLPCMY
uEbxBVVFSpIJMtTacBNgRQGFEQVh+DxPgDaXoZ6RFU/QKVZuWAq85qVEcbDjf8bM
0C6D3f5uXaFaXm4ff1FZ/s/4YOj4rm5EyawrM+Me218+PKMJPHzvsL8y10GCj1T8
s1S77QqgKhqFc+98Z1m3
=OY+T
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ