Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2005-3620 to a friend New vulnerability? New tool? Tell us	CVE-2005-3620 VMware ESX Server Password Disclosure in Log Issue     Credit: The information has been provided by Stephen de Vries. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2005-3620 Details Check for CVE-2005-3620 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * VMware ESX prior to 2.5.3 upgrade patch 2  * VMware ESX prior to 2.1.3 upgrade patch 1  * VMware ESX prior to 2.0.2 upgrade patch 1 Immune Systems:  * VMware ESX prior to 2.5.3 upgrade patch 3  * VMware ESX prior to 2.1.3 upgrade patch 2  * VMware ESX prior to 2.0.2 upgrade patch 2 VMware ESX Server is described as virtual infrastructure software for partitioning, consolidating and managing servers in mission-critical environments. The software provides a virtualization layer that allows multiple x86 based operating systems to run on the same hardware concurrently. The ESX Server product differs from other VMware products in that it does not require a "host" operating system to be provided by the user. Instead, it uses a custom x86 kernel as the host, along with a customized Linux operating system as a "console O/S". VMware ESX Server includes a number of network services and a web application, called the "VMware Management Interface" that can be used to perform remote administration of the system. Analysis: One of the functions provided by the Management Interface is to change passwords. Through an HTML form, the user is requested to enter and confirm their new password. This data is sent through an HTTP GET request to the server. For example, when changing the root user's password to "test", the following request would be sent: https://address-of-vmware-server/sx-users? op=setUsr&ag=&rg=&nm=root&hd=%2Froot&pw=test&pwc=test&grpSlct= This request along with the passwords is logged in the Apache access logs: /var/log/httpd/access_log and /var/log/httpd/ssl_request_log. It is also rotated into the corresponding backup logs. The permissions on these files permit world read access. This would allow all local users of the system to view the files and consequently all passwords that were set using the Management Interface. Recommendations: Upgrade to a version of the VMware ESX product that does not exhibit this issue. CVE Information: CVE-2005-3620  Comments on CVE-2005-3620:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®