SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Red Hat Enterprise Virtualization Manager Vendors:   Red Hat
Red Hat Enterprise Virtualization Manager Bugs Let Local Users Gain Elevated Privileges and Remote Authenticated Users Access Data
SecurityTracker Alert ID:  1027838
SecurityTracker URL:  http://securitytracker.com/id/1027838
CVE Reference:   CVE-2011-4316, CVE-2012-0860, CVE-2012-0861, CVE-2012-2696, CVE-2012-5516   (Links to External Site)
Date:  Dec 5 2012
Impact:   Disclosure of system information, Disclosure of user information, Root access via network, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.1
Description:   Several vulnerabilities were reported in Red Hat Enterprise Virtualization Manager. A local user can obtain elevated privileges on the target system. A remote authenticated user can access restricted data on the target system. A remote user can conduct man-in-the-middle attacks to gain root access.

Red Hat Enterprise Linux hosts are not properly added to the Red Hat Enterprise Virtualization (RHEV) environment [CVE-2012-0860]. A local user on the host to be added to the RHEV environment can place specially crafted files in the '/tmp' directory to gain elevated privileges.

The system does not properly validate SSL certificates for HTTPS connections when Python configuration scripts are downloaded [CVE-2012-0861]. A remote user on the local network can conduct a man-in-the-middle attack to potentially gain root access on the host being added to the RHEV environment.

The system does not properly lock the screen on a virtual machine between Simple Protocol for Independent Computing Environments (SPICE) session [CVE-2011-4316]. A local user on a virtual machine may be able to gain access to another user's unlocked desktop session.

The system does not properly wipe-after-delete when moving disks between storage domains [CVE-2012-5516]. A user may be able to obtain potentially sensitive information.

The system back end does not properly check the privileges of users making requests via the SOAP and GWT APIs. A remote authenticated user can access restricted data [CVE-2012-2696].

Red Hat reported these vulnerabilities.

Impact:   A local user can obtain elevated privileges on the target system.

A remote authenticated user can access restricted data on the target system.

A remote user can conduct man-in-the-middle attacks to gain root access.

Solution:   The vendor has issued a fix (3.1).

The vendor's advisory is available at:

https://rhn.redhat.com/errata/RHSA-2012-1506.html

Vendor URL:  rhn.redhat.com/errata/RHSA-2012-1506.html (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:   Linux (Red Hat Enterprise)

Message History:   None.


 Source Message Contents

Date:  Tue, 4 Dec 2012 20:31:38 +0000
Subject:  [RHSA-2012:1506-01] Important: Red Hat Enterprise Virtualization Manager 3.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Enterprise Virtualization Manager 3.1
Advisory ID:       RHSA-2012:1506-01
Product:           Red Hat Enterprise Virtualization
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2012-1506.html
Issue date:        2012-12-04
CVE Names:         CVE-2011-4316 CVE-2012-0860 CVE-2012-0861 
                   CVE-2012-2696 CVE-2012-5516 
=====================================================================

1. Summary:

Red Hat Enterprise Virtualization Manager 3.1 is now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

RHEV-M for Servers - noarch

3. Description:

Red Hat Enterprise Virtualization Manager is a visual tool for centrally
managing collections of virtual servers running Red Hat Enterprise Linux
and Microsoft Windows. This package also includes the Red Hat Enterprise
Virtualization Manager API, a set of scriptable commands that give
administrators the ability to perform queries and operations on Red Hat
Enterprise Virtualization Manager.

A flaw was found in the way Red Hat Enterprise Linux hosts were added to
the Red Hat Enterprise Virtualization environment. The Python scripts
needed to configure the host for Red Hat Enterprise Virtualization were
stored in the "/tmp/" directory and could be pre-created by an attacker. A
local, unprivileged user on the host to be added to the Red Hat Enterprise
Virtualization environment could use this flaw to escalate their
privileges. This update provides the Red Hat Enterprise Virtualization
Manager part of the fix. The RHSA-2012:1508 VDSM update (Red Hat Enterprise
Linux hosts) must also be installed to completely fix this issue.
(CVE-2012-0860)

A flaw was found in the way Red Hat Enterprise Linux and Red Hat Enterprise
Virtualization Hypervisor hosts were added to the Red Hat Enterprise
Virtualization environment. The Python scripts needed to configure the host
for Red Hat Enterprise Virtualization were downloaded in an insecure way,
that is, without properly validating SSL certificates during HTTPS
connections. An attacker on the local network could use this flaw to
conduct a man-in-the-middle attack, potentially gaining root access to the
host being added to the Red Hat Enterprise Virtualization environment. This
update provides the Red Hat Enterprise Virtualization Manager part of the
fix. The RHSA-2012:1508 VDSM update (Red Hat Enterprise Linux hosts) or
RHSA-2012:1505 rhev-hypervisor6 update (Red Hat Enterprise Virtualization
Hypervisor hosts) must also be installed to completely fix this issue.
(CVE-2012-0861)

It was found that under certain conditions, Red Hat Enterprise
Virtualization Manager would fail to lock the screen on a virtual machine
between SPICE (Simple Protocol for Independent Computing Environments)
sessions. A user with access to a virtual machine in Red Hat Enterprise
Virtualization Manager could potentially exploit this flaw to gain access
to another user's unlocked desktop session. (CVE-2011-4316)

It was found that Red Hat Enterprise Virtualization Manager did not
correctly pass wipe-after-delete when moving disks between storage domains.
This resulted in such disks not being securely deleted as expected,
potentially leading to information disclosure. (CVE-2012-5516)

A flaw was found in the way the Red Hat Enterprise Virtualization Manager
back end checked the privileges of users making requests via the SOAP and
GWT APIs. An authenticated attacker able to issue queries against Red Hat
Enterprise Virtualization Manager could use this flaw to query data that
they should not have access to. (CVE-2012-2696)

These issues were discovered by Red Hat.

In addition to resolving the above security issues these updated Red Hat
Enterprise Virtualization Manager packages fix various bugs, and add
various enhancements.

Documentation for these bug fixes and enhancements is available in the
Technical Notes:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html

All Red Hat Enterprise Virtualization Manager users are advised to upgrade
to these updated packages which resolve these security issues, fix these
bugs, and add these enhancements.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

754876 - CVE-2011-4316 SPICE screen locking race condition
790730 - CVE-2012-0860 rhev: vds_installer insecure /tmp use
790754 - CVE-2012-0861 rhev: vds_installer is prone to MITM when downloading 2nd stage installer
831565 - CVE-2012-2696 rhev: backend allows unprivileged queries
838300 - [engine][setupNetworks] Add sync network functionality
839230 - [RFE] Do not allow runon/pin-to host for user level api/portal
840280 - Improving import vm/tempate look & feel
848862 - Report event on time drift between engine and vdsm
852057 - Run once dialogue - need a face lift, usuability
858643 - [backup] using pg_dump --column-inserts slows down the restore process
862370 - web-admin/user-portal: support Japanese (ja)
875370 - CVE-2012-5516 rhev-m: MoveDisk ignores the disk's wipe-after-delete property

6. Package List:

RHEV-M for Servers:

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHEV/SRPMS/rhevm-3.1.0-32.el6ev.src.rpm

noarch:
rhevm-3.1.0-32.el6ev.noarch.rpm
rhevm-backend-3.1.0-32.el6ev.noarch.rpm
rhevm-config-3.1.0-32.el6ev.noarch.rpm
rhevm-dbscripts-3.1.0-32.el6ev.noarch.rpm
rhevm-genericapi-3.1.0-32.el6ev.noarch.rpm
rhevm-notification-service-3.1.0-32.el6ev.noarch.rpm
rhevm-restapi-3.1.0-32.el6ev.noarch.rpm
rhevm-setup-3.1.0-32.el6ev.noarch.rpm
rhevm-setup-plugin-allinone-3.1.0-32.el6ev.noarch.rpm
rhevm-tools-common-3.1.0-32.el6ev.noarch.rpm
rhevm-userportal-3.1.0-32.el6ev.noarch.rpm
rhevm-webadmin-portal-3.1.0-32.el6ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2011-4316.html
https://www.redhat.com/security/data/cve/CVE-2012-0860.html
https://www.redhat.com/security/data/cve/CVE-2012-0861.html
https://www.redhat.com/security/data/cve/CVE-2012-2696.html
https://www.redhat.com/security/data/cve/CVE-2012-5516.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFQvl2HXlSAg2UNWIIRAiuJAKChP1UXd2MJryR2LGIrgz7JJflZVQCePvMn
gbHh+asVCM+asH9aUDcx4U0=
=64Ok
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC