| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DM3PR17MB0540477D3E0E6ED95E26D1F1D0560@DM3PR17MB0540.namprd17.prod.outlook.com> Date: Thu, 16 Jun 2016 21:19:39 +0000 From: Nate Kettlewell <nate@...thsecurity.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] CVE-2016-5709 - Use of Weak Encryption Algorithm in Solarwinds Virtualization Manager Product: Solarwinds Virtualization Manager Vendor: Solarwinds Vulnerable Version(s): < 6.3.1 Tested Version: 6.3.1 Vendor Notification: April 25th, 2016 Vendor Patch Availability to Customers: June 1st, 2016 Public Disclosure: June 14th, 2016 Vulnerability Type: Security Misconfiguration CVE Reference: CVE-2016-5709 Risk Level: High CVSSv3 Base Score: 6.0 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) Solution Status: Solution Available Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ ) ----------------------------------------------------------------------------------------------- Advisory Details: Depth Security discovered a vulnerability in Solarwinds Virtualization Manager appliance. This attack requires a user to have an operating system shell with superuser privilges on the vulnerable appliance. 1) Use of a weak encryption algorithm in Solarwinds Virtualization Manager: CVE-2016-5709 The vulnerability exists due to the use of a weak encryption algorithm in the /etc/shadow file. A local attacker in possession of a superuser operating system shell can easily crack the passwords of other system users. ----------------------------------------------------------------------------------------------- Solution: Solarwinds has released a hotfix to remediate this vulnerability on existing installations. This flaw as well as several others have been corrected and that release has been put into manufacturing for new appliances. ----------------------------------------------------------------------------------------------- Proof of Concept: An attacker can dump the contents of the /etc/shadow file using the following command: cat /etc/passwd The output of this command can then be used with many popular password cracking programs to obtain the cleartext passwords of other operating system users. ----------------------------------------------------------------------------------------------- References: [1] Solarwinds Virtualization Manager- http://www.solarwinds.com/virtualization-manager - Solarwinds Virtualization Manager provides monitoring and remediation for virtualized environments. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists