Vulnerabilities > CVE-2011-1773 - Credentials Management vulnerability in multiple products

CVSS 4.4 - MEDIUM

Attack vector

LOCAL

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

local

matthew-booth

redhat

CWE-255

nessus

NVD

Published: 2014-02-08

Updated: 2019-04-22

Summary

virt-v2v before 0.8.4 does not preserve the VNC console password when converting a guest, which allows local users to bypass the intended VNC authentication by connecting without a password.

Vulnerable Configurations

Part	Description	Count
Application	Matthew_Booth Matthew Booth Virt V2V 0.1.0 Matthew Booth Virt V2V 0.2.0 Matthew Booth Virt V2V 0.3.0 Matthew Booth Virt V2V 0.3.2 Matthew Booth Virt V2V 0.4.0 Matthew Booth Virt V2V 0.4.9 Matthew Booth Virt V2V 0.4.10 Matthew Booth Virt V2V 0.5.0 Matthew Booth Virt V2V 0.5.1 Matthew Booth Virt V2V 0.5.2 Matthew Booth Virt V2V 0.5.3 Matthew Booth Virt V2V 0.5.4 Matthew Booth Virt V2V 0.6.0 Matthew Booth Virt V2V 0.6.1 Matthew Booth Virt V2V 0.6.2 Matthew Booth Virt V2V 0.6.3 Matthew Booth Virt V2V 0.7.0 Matthew Booth Virt V2V 0.7.1 Matthew Booth Virt V2V 0.8.0 Matthew Booth Virt V2V 0.8.1 Matthew Booth Virt V2V 0.8.2 Matthew Booth Virt V2V 0.8.3	22
OS	Redhat Redhat Enterprise Linux 6.0	1

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2011-1615.NASL
description	An updated virt-v2v package that fixes one security issue and several bugs is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. virt-v2v is a tool for converting and importing virtual machines to libvirt-managed KVM (Kernel-based Virtual Machine), or Red Hat Enterprise Virtualization. Using virt-v2v to convert a guest that has a password-protected VNC console to a KVM guest removed that password protection from the converted guest: after conversion, a password was not required to access the converted guest
last seen	2020-06-01
modified	2020-06-02
plugin id	64008
published	2013-01-24
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/64008
title	RHEL 6 : virt-v2v (RHSA-2011:1615)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20111206_VIRT_V2V_ON_SL6_X.NASL
description	virt-v2v is a tool for converting and importing virtual machines to libvirt-managed KVM (Kernel-based Virtual Machine). Using virt-v2v to convert a guest that has a password-protected VNC console to a KVM guest removed that password protection from the converted guest: after conversion, a password was not required to access the converted guest
last seen	2020-06-01
modified	2020-06-02
plugin id	61201
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61201
title	Scientific Linux Security Update : virt-v2v on SL6.x x86_64

Redhat

advisories

bugzilla

id	732421
title	Guest will BSOD if boot from Windows Recovery Console after conversion

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003
comment virt-v2v is earlier than 0:0.8.3-5.el6
oval oval:com.redhat.rhsa:tst:20111615001
comment virt-v2v is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20111615002

rhsa

id	RHSA-2011:1615
released	2011-12-05
severity	Low
title	RHSA-2011:1615: virt-v2v security and bug fix update (Low)

rpms

virt-v2v-0:0.8.3-5.el6

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References