[Full-disclosure] Apache CloudStack Security Advisory: Multiple vulnerabilities in Apache CloudStack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Product: Apache CloudStack Vendor: The Apache Software Foundation CVE References: CVE-2013-2756, CVE-2013-2758 Vulnerability Type(s): Authentication bypass (2756), cryptography (2758) Vulnerable version(s): Apache CloudStack version 4.0.0-incubating and 4.0.1-incubating Risk Level: High, Medium CVSSv2 Base Scores: 7.3 (AV:N/AC:H/Au:N/CI:P/I:C/A:C), 4.3 (AV:A/AC:H/Au:N/CI:P/I:P/A:P) Description: The CloudStack PMC was notified of two issues found in Apache CloudStack: 1) An attacker with knowledge of CloudStack source code could gain unauthorized access to the console of another tenant's VM. 2) Insecure hash values may lead to information disclosure. URLs generated by Apache CloudStack to provide console access to virtual machines contained a hash of a predictable sequence, the hash of which was generated with a weak algorithm. While not easy to leverage, this may allow a malicious user to gain unauthorized console access. Mitigation: Updating to Apache CloudStack versions 4.0.2 or higher will mitigate these vulnerabilities. Credit: These issues were identified by Wolfram Schlich and Mathijs Schmittmann to the Citrix security team, who in turn notified the Apache CloudStack PMC. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJReHSvAAoJEI7yNrpBLHrS19UP/R+7RadV4QlnBxErhy53/FZf qeOKGKj3cLm5dhFsNjzODQRRcSZohrwq3CX5dM1GW83LdAVJjoKQYCTO4/Dm+WP4 EI2z8PAxrr+gOZKZt0ouufb3aJPMP5nQK+/UphSUCNS9BPu2gDQubAgRq3bTFqHI b54XVwd8SEZ/lb7ds8zXiKLCWtz18BK9JCa7/sWArpUlbJIqEYkC3NO4rvR/I/Uo ZS6tvX4i/Fh+KoJwnhoYm852xoSRAX2YCv00Ao/WLleltzH43wSV2DA/SpKsfUAp hvkkwMjYo0FFQZcvvFIFFXUAOMtjFVQ+Dh5CdXiozqQyeKpO61HtyNWoPGBsKaj7 RTlVSPu8vRxi1JiqVd850L1oa9wGgG3ywySY5NGs/TNdZ+6GtxO3jr2QMFDhI7G0 0uc2TPx63RZFdkODZ9FF6p29OfgRHy6Uq0UysHO8Yuadiys9xWOZjoHavDYPLrxC ZRyrG1Ny9RUh5vQsoFIKoEJIwBtoK0ljLvNROT9T4cpG80qnj/SRUnvNxhPI87gJ 4Fcvh/1R/ZdvPeeMRf+eOd8euw1KkC6tCRbabQwCKb2hAXYxKXG5f+a7XRk/2laf UNdjnvNEz9OqYKs0f3A4MLNv37PdtFBqLmfGDCPNx79VT+//exCxtTJXy6Ydwgmr Qy2m9i7qrd34G2Cp0g4V =7qL9 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2012-5616] Apache CloudStack information disclosure vulnerability
CVE-2012-5616: Apache CloudStack information disclosure vulnerability Severity: Low CVSS: 3.5, AV:L,AC,H,Au,S,C:P,I:P,A:P Vendors: The Apache Software Foundation Versions Affected: Apache CloudStack 4.0.0-incubating Description: The CloudStack security team was notified of a information disclosure vulnerability that exists in Apache CloudStack-4.0.0-incubating. With this vulnerability, when a user calls the createSSHKeyPair API command to create an SSH key pair to be used when authenticating to a user VM, the freshly generated SSH private key is rendered in a log file at INFO level on the CloudStack master server as well as being returned to the caller. While remediating this issue, it was also discovered that the AddHost API call will log the password of the added host, and DeployVM and ResetPasswordForVM will log the password of the VM for VMs that take support password management by CloudStack. To leverage these vulnerabilities, a malicious user would require read access to logs on the management server, or another location where those logs are stored (e.g. centralized logging, backup server) Mitigation: On the CloudStack management server, modify /etc/cloud/management/log4j.conf so the CONSOLE and APISERVER appender logs with a Threshold of WARN or higher. We will be addressing this in the upcoming release of Apache CloudStack 4.1.0-incubating. Credit: This issue was identified by Ahmad Emneina of Citrix. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pcap flow extraction
If you're OK with an intermediate step, you'll find a few tools out there (eg switch's YAF) that read pcap and spit out the flow data in netflow format. Then a second utility (eg flow-tools) can turn that into whatever format you'd like... John On Thu, Dec 06, 2007 at 06:35:42PM +1100, Ivan . wrote: Hi, Does anyone have any ideas for flow information extraction from a rather large pcap file, 6 gigs? I am after the standard stuff, source, destination, service. Ethereal/wireshark is a no go, as it won't process the file due to size, tcpflow is OK, but a little untidy. any suggestions are appreciated, preferably open source and also has anyone used tcpdstat for something like this? thanks Ivan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DHS need to get on top of this right now
On Wed, Oct 24, 2007 at 08:39:56AM +0200, php0t wrote: After all this crap, you guys still fall for the trollbait? f*cking sad :-( Yeah, I'll give ya that. Let's try Lack of sleep for $400, Alex. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DHS need to get on top of this right now
On Wed, Oct 24, 2007 at 12:20:58AM +0100, worried security wrote: http://www.merit.edu/mail.archives/nanog/msg04104.html Shit! Al Queda's on NANOG! All these years...what were we thinking??? Now that you've found nanog, why don't you go read the archives about this topic being beaten to death. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] In ur server-status
also fun is /server-info... On Sat, Jul 21, 2007 at 10:53:42PM -0500, Todd Troxell wrote: Noticing lots of admins tend to forget about /server-status, I typed at random: http://www.cnn.com/server-status http://www.webshots.com/server-status http://www.download.com/server-status http://slashdot.org/server-status I am sure there are ten billion others. In some cases this is worse than someone grabbing your access log. -- Todd Troxell http://rapidpacket.com/~xtat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] flickR Hack
Fun to see how quickly the number of results for that search are dropping...don't know if it's flickr staff or people are getting alerted... vtext.com also turns up a few... and tmomail.net Surprisingly none for cingularme... On Tue, Apr 10, 2007 at 07:21:30PM -0400, KaT wrote: was looking at a friend of mine photos on flickr and found this little tid bit it showed his email to address from his nextel phone ... along with his phone number of his nextel as the send from address and to confirm this do a search on flickr with messaging.nextel.com and it will show you the phone number of the nextel user along with the Secret Email Address to send photos to flickr check it out kewl stuff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] recommendations ??
On Thu, Mar 23, 2006 at 02:42:51PM -0500, Paul A Ryan wrote: Is anyone aware of a good open source proxy type launch box - I wanted to force all my network admins(router jockeys) to connect to this box in order to connect to my infrastructure - the box in turn must be capable of logging (tacacs type keystrokes), enforce access control etc .. Something with the functionality of command broker from Nakina Systems . Not open source(sorry) but I have to give props to OpsWare Network Automation System, which also does this, and very well...config diffs pop up in web pages side-by-side (new/old), along with who did what. John ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock
Is anybody else seeing these attacks? Is this the China hackers again? I think I saw a hole last week, but my logs aren't that great so I'm going to have to go back and double-check. Could this be related to socks disappearing? Anybody have signatures for snort? John On Thu, Sep 08, 2005 at 01:02:09PM -0400, Dave Cawley wrote: With the work around, putting it on the left foot, the hole will be ABOVE the small toe and should not enlarge. This hasn't been verifed yet, but the computer models point to this. *** Dave D. Cawley | High Speed Internet |The number of Unix installations Duryea, PA | has grown to 10, with more expected. (570)451-4311 x104 | - The Unix Programmer's Manual,1972 [EMAIL PROTECTED] | *** URL = http://www.adelphia.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Sent: Thursday, September 08, 2005 2:53 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Secuirty Hole Found In Dave's Sock Hi all, I see, that the hole getting greater if you use the socket without any patches! Can anyone verify this? kind regards Daniel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anyone noticing an increase in IOS HTTP scanning?
This was discussed on the NANOG list this morning, people seem to think it's somebody trying to leverage an IOS http auth vulnerability from 2001. John On Thu, Sep 01, 2005 at 02:23:38PM -0400, [EMAIL PROTECTED] wrote: I have been getting at least 40 IOS HTTP Unauth Command Execution scans in the last 12 hours. Every one has come from a different source IP, but they are all located in Korea. They are all trying to execute GET /level/16/exec/-///pwd HTTP/1.0 . The stupid thing is, they are trying this on a bunch of web servers. Has anyone else seen something like this? Before last night, there had never been one of these on this network. Thanks. Paul Smith ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cisco IOS Shellcode Presentation
Lynn's is not a vulnerability per-se, in my mind, but a way to take a vulnerability and turn it into Something Useful. John On Fri, Jul 29, 2005 at 03:02:38PM -0500, Madison, Marc wrote: Am I missing something here, because it seems that two vulnerabilities are being discussed, one is the IPv6 DOS http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml. And the other is Lynn presentation on shellcode execution via the IOS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geo. Sent: Friday, July 29, 2005 2:57 PM To: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Cisco IOS Shellcode Presentation Read the advisory a bit closer. Here the relevant lines: Products that are not running Cisco IOS are not affected. Products running any version of Cisco IOS that do not have IPv6 configured interfaces are not vulnerable. Yes, IOS versions that have the fix, or that don't even run IPv6 are not *vulnerable*. But all IOS versions are *affected* by the *mechanism* he described. It's acutally a bit worse than that, IPv6 is enabled on all interfaces, you have to execute no ipv6 enable and no ipv6 address command on each interface to disable it. Second, the exploit is limited to local network segment, except it seems to me a worm that spreads from router to router could spread via the local network since a local network segment is usually defined as the wire between two routers.. Infection would spread from one router to it's peers, to those peers, etc. (please correct me if I'm wrong) Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/