ID CVE-2014-0189
Summary virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:virt-who_project:virt-who:-:*:*:*:*:*:*:*
    cpe:2.3:a:virt-who_project:virt-who:-:*:*:*:*:*:*:*
CVSS
Base: 2.1 (as of 13-02-2023 - 00:36)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 1124732
    title in the virt-who log
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331005
      • comment virt-who is earlier than 0:0.9-6.el5
        oval oval:com.redhat.rhba:tst:20141206001
      • comment virt-who is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20141206002
    rhsa
    id RHBA-2014:1206
    released 2014-09-16
    severity Moderate
    title RHBA-2014:1206: virt-who bug fix and enhancement update (Moderate)
  • bugzilla
    id 1139497
    title Failed to run at vdsm mode when it has guest on host
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment virt-who is earlier than 0:0.10-8.el6
        oval oval:com.redhat.rhba:tst:20141513001
      • comment virt-who is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20141513002
    rhsa
    id RHBA-2014:1513
    released 2014-10-13
    severity Moderate
    title RHBA-2014:1513: virt-who bug fix and enhancement update (Moderate)
  • bugzilla
    id 1168122
    title virt-who incorrectly says that VM is from 'None' hypervisor
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • comment virt-who is earlier than 0:0.11-5.el7
        oval oval:com.redhat.rhsa:tst:20150430001
      • comment virt-who is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20141513002
    rhsa
    id RHSA-2015:0430
    released 2015-03-05
    severity Moderate
    title RHSA-2015:0430: virt-who security, bug fix, and enhancement update (Moderate)
rpms
  • virt-who-0:0.9-6.el5
  • virt-who-0:0.10-8.el6
  • virt-who-0:0.11-5.el7
refmap via4
bid 67089
confirm
mlist [oss-security] 20140428 CVE-2014-0189: /etc/sysconfig/virt-who is world-readable (contains unencrypted passwords)
Last major update 13-02-2023 - 00:36
Published 02-05-2014 - 14:55
Last modified 13-02-2023 - 00:36
Back to Top