Russell Bryant (rbryant) reports: Title: VNC proxy can connect to the wrong VM CVE: CVE-2013-0335 Reporter: Loganathan Parthipan (HP), Rohit Karajgi (NTT Data) Products: Nova Affects: All versions Description: Loganathan Parthipan (HP) and Rohit Karajgi (NTT Data) independently reported a vulnerability in Nova. If a user requests a console and then deletes the VM, it is possible that the console token could allow connectivity to a different VM before the console token expires if the VNC port gets reused in that time period. This issue can be worked around by disabling VNC support. External references: master (grizzly): https://review.openstack.org/#/c/22086/ stable/folsom: https://review.openstack.org/#/c/22758/ stable/essex: https://review.openstack.org/#/c/22872/
Created attachment 702653 [details] openstack-folsom-CVE-2013-0335.patch
Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0335 http://www.openwall.com/lists/oss-security/2013/02/26/7 https://bugs.launchpad.net/nova/+bug/1125378 http://www.ubuntu.com/usn/USN-1771-1 http://www.osvdb.org/90657 http://secunia.com/advisories/52337 http://secunia.com/advisories/52728
Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Loganathan Parthipan (HP) and Rohit Karajgi (NTT Data) as the original, independent reporters.
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0709 https://rhn.redhat.com/errata/RHSA-2013-0709.html