Rapid7 Vulnerability & Exploit Database

USN-670-1: VMBuilder vulnerability

Back to Search

USN-670-1: VMBuilder vulnerability

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
11/13/2008
Created
07/25/2018
Added
05/06/2013
Modified
07/09/2020

Description

Mathias Gug discovered that vm-builder improperly set the rootpassword when creating virtual machines. An attacker could exploitthis to gain root privileges to the virtual machine by using apredictable password. This vulnerability only affects virtual machines created withvm-builder under Ubuntu 8.10, and does not affect native Ubuntuinstallations. An update was made to the shadow package to detectvulnerable systems and disable password authentication for theroot account. Vulnerable virtual machines which an attacker hasaccess to should be considered compromised, and appropriate actionstaken to secure the machine. The problem can be corrected by updating your system to the following package version: To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system upgrade is sufficient to effect thenecessary changes. https://bugs.launchpad.net/+bug/296841

Solution(s)

  • ubuntu-upgrade-passwd
  • ubuntu-upgrade-python-vm-builder

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;