[RHSA-2013:0849-01] Important: KVM image security update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: KVM image security update

Advisory ID: RHSA-2013:0849-01

Product: Red Hat Common

Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0849.html

Issue date: 2013-05-23

CVE Names: CVE-2013-2069

=====================================================================

 

1. Summary:

 

The Red Hat Enterprise Linux 6.4 KVM Guest Image for cloud instances had

an empty root password by default.

 

The Red Hat Security Response Team has rated this update as having

important security impact. A Common Vulnerability Scoring System (CVSS)

base score, which gives a detailed severity rating, is available from the

CVE link in the References section.

 

2. Description:

 

Red Hat provides a Red Hat Enterprise Linux 6.4 KVM Guest Image for

cloud instances. This image is provided as a minimally configured system

image which is available for use as-is or for configuration and

customization as required by end users.

 

The Red Hat Enterprise Linux 6.4 KVM Guest Image for cloud instances had an

empty root password by default. To address this, Red Hat has created an

updated image that locks the root password by default. This updated image

is now available on RHN.

 

To correct existing Red Hat Enterprise Linux 6.4 KVM Guest Images, any

images or systems built using this Red Hat Enterprise Linux 6.4 KVM Guest

Image, or any currently running Red Hat Enterprise Linux instances

instantiated from this image, users can lock the root password by issuing,

as root, the command:

 

passwd -l root

 

Note: The default OpenSSH configuration disallows password logins when

the password is empty, preventing a remote attacker from logging in

without a password.

 

Root Cause

 

Kickstart can be used to automate operating system installations. A

Kickstart file specifies settings for an installation. Once the

installation system boots, it can read a Kickstart file and carry out the

installation process without any further input from a user. Kickstart is

used as part of the process of creating Images of Red Hat Enterprise Linux

for cloud providers.

 

It was discovered that when no 'rootpw' command was specified in a

Kickstart file, the image creator tools gave the root user an empty

password rather than leaving the password locked, which could allow a local

user to gain access to the root account (CVE-2013-2069).

 

We have corrected this issue by up[censored] the Kickstart file used to build

affected images to lock the password file.

 

This issue was caused by the way a tool was used to create Images, and not

due to a security vulnerability in Red Hat Enterprise Linux.

 

To import the image into an OpenStack environment, download the image from

Red Hat Network to a system that has the python-glanceclient package

installed. Refer to the OpenStack Getting Started Guide, linked to in the

References, for information on importing the image into an OpenStack

environment. After successfully importing, it is also highly recommended

that the "glance delete" command is used to delete any previous versions of

the image that exist in the Glance image registry.

 

3. Solution:

 

The updated image is available from RHN, linked to in the References.

 

4. Bugs fixed (http://bugzilla.redhat.com/):

 

964299 - CVE-2013-2069 livecd-tools: improper handling of passwords

 

5. References:

 

https://www.redhat.com/security/data/cve/CVE-2013-2069.html

https://access.redhat.com/security/updates/classification/#important

https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=16952

https://access.redhat.com/site/documentation/en-US/Red_Hat_OpenStack/2/html/Getting_Started_Guide/ch09s02.html

 

6. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2013 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFRniBxXlSAg2UNWIIRApctAJ4pgh+eBx9yhMkVFSx4jaZbHBTs6ACgxWaQ

Q3S06teWs2skOC1AcFJjkqc=

=3f+H

-----END PGP SIGNATURE-----

 

 

--