ID CVE-2014-0189
Summary virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:virt-who_project:virt-who:-:*:*:*:*:*:*:*
    cpe:2.3:a:virt-who_project:virt-who:-:*:*:*:*:*:*:*
CVSS
Base: 2.1 (as of 26-08-2016 - 12:02)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 1124732
    title in the virt-who log
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • comment virt-who is earlier than 0:0.9-6.el5
      oval oval:com.redhat.rhba:tst:20141206002
    • comment virt-who is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhba:tst:20141206003
    rhsa
    released 2014-09-16
    severity None
    title RHBA-2014:1206: virt-who bug fix and enhancement update (None)
  • bugzilla
    id 1139497
    title Failed to run at vdsm mode when it has guest on host
    oval
    AND
    • comment virt-who is earlier than 0:0.10-8.el6
      oval oval:com.redhat.rhba:tst:20141513005
    • comment virt-who is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhba:tst:20141513006
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    rhsa
    released 2014-06-03
    severity None
    title RHBA-2014:1513: virt-who bug fix and enhancement update (None)
  • bugzilla
    id 1168122
    title virt-who incorrectly says that VM is from 'None' hypervisor
    oval
    AND
    • comment virt-who is earlier than 0:0.11-5.el7
      oval oval:com.redhat.rhsa:tst:20150430005
    • comment virt-who is signed with Red Hat redhatrelease2 key
      oval oval:com.redhat.rhba:tst:20141513006
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    rhsa
    id RHSA-2015:0430
    released 2015-03-05
    severity Moderate
    title RHSA-2015:0430: virt-who security, bug fix, and enhancement update (Moderate)
rpms
  • virt-who-0:0.9-6.el5
  • virt-who-0:0.10-8.el6
  • virt-who-0:0.11-5.el7
refmap via4
bid 67089
confirm
mlist [oss-security] 20140428 CVE-2014-0189: /etc/sysconfig/virt-who is world-readable (contains unencrypted passwords)
Last major update 26-08-2016 - 12:02
Published 02-05-2014 - 14:55
Back to Top