Описание
libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.
It was found that setting a VNC password to an empty string in libvirt did not disable all access to the VNC server as documented, instead it allowed access with no authentication required. An attacker could use this flaw to access a VNC server with an empty VNC password without any authentication.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | libvirt | Not affected | ||
| Red Hat Enterprise Linux 6 | libvirt | Will not fix | ||
| Red Hat Enterprise Virtualization 3 | mingw-virt-viewer | Under investigation | ||
| Red Hat Enterprise Linux 7 | libvirt | Fixed | RHSA-2016:2577 | 03.11.2016 |
| Red Hat Gluster Storage 3.1 for RHEL 7 | libvirt | Fixed | RHSA-2016:2577 | 03.11.2016 |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | libvirt | Fixed | RHSA-2016:2577 | 03.11.2016 |
Показывать по
Дополнительная информация
Статус:
5.6 Medium
CVSS3
5.1 Medium
CVSS2
Связанные уязвимости
libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.
libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server.
libvirt before 2.0.0 improperly disables password checking when the pa ...
5.6 Medium
CVSS3
5.1 Medium
CVSS2