RHEL 6 : rhev-3.1.0 vdsm (RHSA-2012:1508)

high Nessus Plugin ID 78941

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1508 advisory.

VDSM is a management module that serves as a Red Hat Enterprise Virtualization Manager agent on Red Hat Enterprise Virtualization Hypervisor or Red Hat Enterprise Linux 6.3 hosts.

A flaw was found in the way Red Hat Enterprise Linux hosts were added to the Red Hat Enterprise Virtualization environment. The Python scripts needed to configure the host for Red Hat Enterprise Virtualization were stored in the /tmp/ directory and could be pre-created by an attacker. A local, unprivileged user on the host to be added to the Red Hat Enterprise Virtualization environment could use this flaw to escalate their privileges. This update provides the VDSM part of the fix. The RHSA-2012:1506 Red Hat Enterprise Virtualization Manager update must also be installed to completely fix this issue. (CVE-2012-0860)

A flaw was found in the way Red Hat Enterprise Linux and Red Hat Enterprise Virtualization Hypervisor hosts were added to the Red Hat Enterprise Virtualization environment. The Python scripts needed to configure the host for Red Hat Enterprise Virtualization were downloaded in an insecure way, that is, without properly validating SSL certificates during HTTPS connections. An attacker on the local network could use this flaw to conduct a man-in-the-middle attack, potentially gaining root access to the host being added to the Red Hat Enterprise Virtualization environment. This update provides the VDSM part of the fix. The RHSA-2012:1506 Red Hat Enterprise Virtualization Manager update must also be installed to completely fix this issue. (CVE-2012-0861)

The CVE-2012-0860 and CVE-2012-0861 issues were discovered by Red Hat.

In addition to resolving the above security issues these updated VDSM packages fix various bugs, and add various enhancements.

Documentation for these bug fixes and enhancements is available in the Technical Notes:

https://access.redhat.com/knowledge/docs/en- US/Red_Hat_Enterprise_Virtualization/3.1/html/Technical_Notes/index.html

All users who require VDSM are advised to install these updated packages which resolve these security issues, fix these bugs, and add these enhancements.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?1b979d61

http://www.nessus.org/u?326e0902

https://access.redhat.com/errata/RHSA-2012:1508

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=734847

https://bugzilla.redhat.com/show_bug.cgi?id=744704

https://bugzilla.redhat.com/show_bug.cgi?id=766281

https://bugzilla.redhat.com/show_bug.cgi?id=772556

https://bugzilla.redhat.com/show_bug.cgi?id=783383

https://bugzilla.redhat.com/show_bug.cgi?id=790730

https://bugzilla.redhat.com/show_bug.cgi?id=790754

https://bugzilla.redhat.com/show_bug.cgi?id=797526

https://bugzilla.redhat.com/show_bug.cgi?id=798635

https://bugzilla.redhat.com/show_bug.cgi?id=800367

https://bugzilla.redhat.com/show_bug.cgi?id=802759

https://bugzilla.redhat.com/show_bug.cgi?id=806625

https://bugzilla.redhat.com/show_bug.cgi?id=806757

https://bugzilla.redhat.com/show_bug.cgi?id=807351

https://bugzilla.redhat.com/show_bug.cgi?id=807687

https://bugzilla.redhat.com/show_bug.cgi?id=811807

https://bugzilla.redhat.com/show_bug.cgi?id=812793

https://bugzilla.redhat.com/show_bug.cgi?id=813423

https://bugzilla.redhat.com/show_bug.cgi?id=814435

https://bugzilla.redhat.com/show_bug.cgi?id=815359

https://bugzilla.redhat.com/show_bug.cgi?id=826467

https://bugzilla.redhat.com/show_bug.cgi?id=826873

https://bugzilla.redhat.com/show_bug.cgi?id=826921

https://bugzilla.redhat.com/show_bug.cgi?id=829037

https://bugzilla.redhat.com/show_bug.cgi?id=829645

https://bugzilla.redhat.com/show_bug.cgi?id=829710

https://bugzilla.redhat.com/show_bug.cgi?id=830485

https://bugzilla.redhat.com/show_bug.cgi?id=830486

https://bugzilla.redhat.com/show_bug.cgi?id=831528

https://bugzilla.redhat.com/show_bug.cgi?id=832765

https://bugzilla.redhat.com/show_bug.cgi?id=832798

https://bugzilla.redhat.com/show_bug.cgi?id=833084

https://bugzilla.redhat.com/show_bug.cgi?id=833099

https://bugzilla.redhat.com/show_bug.cgi?id=833119

https://bugzilla.redhat.com/show_bug.cgi?id=833425

https://bugzilla.redhat.com/show_bug.cgi?id=833803

https://bugzilla.redhat.com/show_bug.cgi?id=834008

https://bugzilla.redhat.com/show_bug.cgi?id=834105

https://bugzilla.redhat.com/show_bug.cgi?id=834205

https://bugzilla.redhat.com/show_bug.cgi?id=835478

https://bugzilla.redhat.com/show_bug.cgi?id=835784

https://bugzilla.redhat.com/show_bug.cgi?id=835900

https://bugzilla.redhat.com/show_bug.cgi?id=835920

https://bugzilla.redhat.com/show_bug.cgi?id=836161

https://bugzilla.redhat.com/show_bug.cgi?id=836562

https://bugzilla.redhat.com/show_bug.cgi?id=836954

https://bugzilla.redhat.com/show_bug.cgi?id=837054

https://bugzilla.redhat.com/show_bug.cgi?id=837836

https://bugzilla.redhat.com/show_bug.cgi?id=838347

https://bugzilla.redhat.com/show_bug.cgi?id=838547

https://bugzilla.redhat.com/show_bug.cgi?id=838802

https://bugzilla.redhat.com/show_bug.cgi?id=838924

https://bugzilla.redhat.com/show_bug.cgi?id=840294

https://bugzilla.redhat.com/show_bug.cgi?id=840300

https://bugzilla.redhat.com/show_bug.cgi?id=840386

https://bugzilla.redhat.com/show_bug.cgi?id=840594

https://bugzilla.redhat.com/show_bug.cgi?id=841863

https://bugzilla.redhat.com/show_bug.cgi?id=842115

https://bugzilla.redhat.com/show_bug.cgi?id=842146

https://bugzilla.redhat.com/show_bug.cgi?id=842338

https://bugzilla.redhat.com/show_bug.cgi?id=842662

https://bugzilla.redhat.com/show_bug.cgi?id=842771

https://bugzilla.redhat.com/show_bug.cgi?id=843076

https://bugzilla.redhat.com/show_bug.cgi?id=843387

https://bugzilla.redhat.com/show_bug.cgi?id=843498

https://bugzilla.redhat.com/show_bug.cgi?id=844180

https://bugzilla.redhat.com/show_bug.cgi?id=844294

https://bugzilla.redhat.com/show_bug.cgi?id=844347

https://bugzilla.redhat.com/show_bug.cgi?id=845193

https://bugzilla.redhat.com/show_bug.cgi?id=845346

https://bugzilla.redhat.com/show_bug.cgi?id=845525

https://bugzilla.redhat.com/show_bug.cgi?id=845830

https://bugzilla.redhat.com/show_bug.cgi?id=846004

https://bugzilla.redhat.com/show_bug.cgi?id=846014

https://bugzilla.redhat.com/show_bug.cgi?id=846307

https://bugzilla.redhat.com/show_bug.cgi?id=846312

https://bugzilla.redhat.com/show_bug.cgi?id=846323

https://bugzilla.redhat.com/show_bug.cgi?id=846376

https://bugzilla.redhat.com/show_bug.cgi?id=847518

https://bugzilla.redhat.com/show_bug.cgi?id=847733

https://bugzilla.redhat.com/show_bug.cgi?id=847744

https://bugzilla.redhat.com/show_bug.cgi?id=848101

https://bugzilla.redhat.com/show_bug.cgi?id=848299

https://bugzilla.redhat.com/show_bug.cgi?id=848616

https://bugzilla.redhat.com/show_bug.cgi?id=848728

https://bugzilla.redhat.com/show_bug.cgi?id=849315

https://bugzilla.redhat.com/show_bug.cgi?id=849542

https://bugzilla.redhat.com/show_bug.cgi?id=851146

https://bugzilla.redhat.com/show_bug.cgi?id=851839

https://bugzilla.redhat.com/show_bug.cgi?id=852989

https://bugzilla.redhat.com/show_bug.cgi?id=853011

https://bugzilla.redhat.com/show_bug.cgi?id=853040

https://bugzilla.redhat.com/show_bug.cgi?id=853703

https://bugzilla.redhat.com/show_bug.cgi?id=853710

https://bugzilla.redhat.com/show_bug.cgi?id=853910

https://bugzilla.redhat.com/show_bug.cgi?id=853968

https://bugzilla.redhat.com/show_bug.cgi?id=854027

https://bugzilla.redhat.com/show_bug.cgi?id=854151

https://bugzilla.redhat.com/show_bug.cgi?id=854212

https://bugzilla.redhat.com/show_bug.cgi?id=854242

https://bugzilla.redhat.com/show_bug.cgi?id=854457

https://bugzilla.redhat.com/show_bug.cgi?id=854748

https://bugzilla.redhat.com/show_bug.cgi?id=854763

https://bugzilla.redhat.com/show_bug.cgi?id=854765

https://bugzilla.redhat.com/show_bug.cgi?id=854919

https://bugzilla.redhat.com/show_bug.cgi?id=854953

https://bugzilla.redhat.com/show_bug.cgi?id=855049

https://bugzilla.redhat.com/show_bug.cgi?id=855425

https://bugzilla.redhat.com/show_bug.cgi?id=855729

https://bugzilla.redhat.com/show_bug.cgi?id=855887

https://bugzilla.redhat.com/show_bug.cgi?id=855918

https://bugzilla.redhat.com/show_bug.cgi?id=855922

https://bugzilla.redhat.com/show_bug.cgi?id=855924

https://bugzilla.redhat.com/show_bug.cgi?id=856163

https://bugzilla.redhat.com/show_bug.cgi?id=856167

https://bugzilla.redhat.com/show_bug.cgi?id=857112

https://bugzilla.redhat.com/show_bug.cgi?id=859109

https://bugzilla.redhat.com/show_bug.cgi?id=862002

https://bugzilla.redhat.com/show_bug.cgi?id=863265

https://bugzilla.redhat.com/show_bug.cgi?id=865386

https://bugzilla.redhat.com/show_bug.cgi?id=866163

https://bugzilla.redhat.com/show_bug.cgi?id=866533

https://bugzilla.redhat.com/show_bug.cgi?id=867354

https://bugzilla.redhat.com/show_bug.cgi?id=867806

https://bugzilla.redhat.com/show_bug.cgi?id=867813

https://bugzilla.redhat.com/show_bug.cgi?id=867922

https://bugzilla.redhat.com/show_bug.cgi?id=868272

https://bugzilla.redhat.com/show_bug.cgi?id=868681

https://bugzilla.redhat.com/show_bug.cgi?id=868721

https://bugzilla.redhat.com/show_bug.cgi?id=870024

https://bugzilla.redhat.com/show_bug.cgi?id=870079

https://bugzilla.redhat.com/show_bug.cgi?id=870734

https://bugzilla.redhat.com/show_bug.cgi?id=870768

https://bugzilla.redhat.com/show_bug.cgi?id=871355

https://bugzilla.redhat.com/show_bug.cgi?id=871811

https://bugzilla.redhat.com/show_bug.cgi?id=872270

https://bugzilla.redhat.com/show_bug.cgi?id=872935

https://bugzilla.redhat.com/show_bug.cgi?id=874481

https://bugzilla.redhat.com/show_bug.cgi?id=876115

https://bugzilla.redhat.com/show_bug.cgi?id=876558

Plugin Details

Severity: High

ID: 78941

File Name: redhat-RHSA-2012-1508.nasl

Version: 1.13

Type: local

Agent: unix

Published: 11/8/2014

Updated: 6/3/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-0861

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2012-0860

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:vdsm-hook-vhostmd, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:vdsm-reg, p-cpe:/a:redhat:enterprise_linux:vdsm-cli, p-cpe:/a:redhat:enterprise_linux:vdsm, p-cpe:/a:redhat:enterprise_linux:vdsm-python

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 12/4/2012

Vulnerability Publication Date: 1/4/2013

Reference Information

CVE: CVE-2012-0860, CVE-2012-0861

BID: 56825

CWE: 295, 377

RHSA: 2012:1508