Bug 1500517 (CVE-2017-12191) - CVE-2017-12191 CFME: VMRC plugin console grants users administrative access
Summary: CVE-2017-12191 CFME: VMRC plugin console grants users administrative access
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-12191
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1479840 1500518 1507165 1536537
Blocks: 1486789
TreeView+ depends on / blocked
 
Reported: 2017-10-10 19:54 UTC by Kurt Seifried
Modified: 2021-02-17 01:24 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could use this vulnerability to view and make changes to settings in the VMRC and virtual machines controlled by it that they should not have access to.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:28:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0374 0 normal SHIPPED_LIVE Important: Red Hat CloudForms security, bug fix, and enhancement update 2018-02-28 18:04:37 UTC

Description Kurt Seifried 2017-10-10 19:54:58 UTC 
Gellert Kis of Red Hat reports:

The CloudForms VMRC plugin console grants users administrative access due to incorrect session privileges.
Comment 3 Kurt Seifried 2018-01-12 20:47:14 UTC 
Acknowledgments:

Name: Gellert Kis (Red Hat)
Comment 6 errata-xmlrpc 2018-02-28 13:04:08 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2018:0374 https://access.redhat.com/errata/RHSA-2018:0374
Note You need to log in before you can comment on or make changes to this bug.