Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2011-1773 | First vendor Publication | 2014-02-07 |
| Vendor | Cve | Last vendor Modification | 2019-04-22 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 4.4 | Attack Range | Local |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 3.4 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| virt-v2v before 0.8.4 does not preserve the VNC console password when converting a guest, which allows local users to bypass the intended VNC authentication by connecting without a password. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1773 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-255 | Credentials Management |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:26996 | |||
| Oval ID: | oval:org.mitre.oval:def:26996 | ||
| Title: | RHSA-2011:1615 -- virt-v2v security and bug fix update (Low) | ||
| Description: | virt-v2v is a tool for converting and importing virtual machines to libvirt-managed KVM (Kernel-based Virtual Machine), or Red Hat Enterprise Virtualization. Using virt-v2v to convert a guest that has a password-protected VNC console to a KVM guest removed that password protection from the converted guest: after conversion, a password was not required to access the converted guest's VNC console. Now, converted guests will require the same VNC console password as the original guest. Note that when converting a guest to run on Red Hat Enterprise Virtualization, virt-v2v will display a warning that VNC passwords are not supported. (CVE-2011-1773) Note: The Red Hat Enterprise Linux 6.2 perl-Sys-Virt update must also be installed to correct CVE-2011-1773. Bug fixes: * When converting a guest virtual machine (VM), whose name contained certain characters, virt-v2v would create a converted guest with a corrupted name. Now, virt-v2v will not corrupt guest names. (BZ#665883) * There were numerous usability issues when running virt-v2v as a non-root user. This update makes it simpler to run virt-v2v as a non-root user. (BZ#671094) * virt-v2v failed to convert a Microsoft Windows guest with Windows Recovery Console installed in a separate partition. Now, virt-v2v will successfully convert a guest with Windows Recovery Console installed in a separate partition by ignoring that partition. (BZ#673066) * virt-v2v failed to convert a Red Hat Enterprise Linux guest which did not have the symlink "/boot/grub/menu.lst". With this update, virt-v2v can select a grub configuration file from several places. (BZ#694364) * This update removes information about the usage of deprecated command line options in the virt-v2v man page. (BZ#694370) * virt-v2v would fail to correctly change the allocation policy, (sparse or preallocated) when converting a guest with QCOW2 image format. The error message "Cannot import VM, The selected disk configuration is not supported" was displayed. With this update, allocation policy changes to a guest with QCOW2 storage will work correctly. (BZ#696089) * The options "--network" and "--bridge" can not be used in conjunction when converting a guest, but no error message was displayed. With this update, virt-v2v will now display an error message if the mutually exclusive "--network" and "--bridge" command line options are both specified. (BZ#700759) * virt-v2v failed to convert a multi-boot guest, and did not clean up temporary storage and mount points after failure. With this update, virt-v2v will prompt for which operating system to convert from a multi-boot guest, and will correctly clean up if the process fails. (BZ#702007) * virt-v2v failed to correctly configure modprobe aliases when converting a VMware ESX guest with VMware Tools installed. With this update, modprobe aliases will be correctly configured. (BZ#707261) * When converting a guest with preallocated raw storage using the libvirtxml input method, virt-v2v failed with the erroneous error message "size(X) < usage(Y)". This update removes this erroneous error. (BZ#727489) * When converting a Red Hat Enterprise Linux guest, virt-v2v did not check that the Cirrus X driver was available before configuring it. With this update, virt-v2v will attempt to install the Cirrus X driver if it is required. (BZ#708961) * VirtIO systems do not support the Windows Recovery Console on 32-bit Windows XP. The virt-v2v man page has been updated to note this. On Windows XP Professional x64 Edition, however, if Windows Recovery Console is re-installed after conversion, it will work as expected. (BZ#732421) * Placing comments in the guest fstab file by means of the leading "#" symbol caused an "unknown filesystem" error after conversion of a guest. With this update comments can now be used and error messages will not be displayed. (BZ#677870) Users of virt-v2v should upgrade to this updated package, which fixes these issues and upgrades virt-v2v to version 0.8.3. | ||
| Family: | unix | Class: | patch |
| Reference(s): | RHSA-2011:1615 CVE-2011-1773 | Version: | 3 |
| Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | virt-v2v |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:27993 | |||
| Oval ID: | oval:org.mitre.oval:def:27993 | ||
| Title: | ELSA-2011-1615 -- virt-v2v security and bug fix update (low) | ||
| Description: | [0.8.3-5] - Fix regression when converting Win7 32 bit to RHEV (RHBZ#738236) [0.8.3-4] [element] [0.8.3-3] - Add missing dependency on new Sys::Virt [0.8.3-2] - Fix for CVE-2011-1773 - Document limitations wrt Windows Recovery Console [0.8.3-1] - Include missing virt-v2v.db - Rebase to upstream release 0.8.3 [0.8.2-2] - Split configuration into /etc/virt-v2v.conf and /var/lib/virt-v2v/virt-v2v.db - Improve usability as non-root user (RHBZ#671094) - Update man pages to use -os as appropriate (RHBZ#694370) - Warn if user specifies both -n and -b (RHBZ#700759) - Fix cleanup when multiboot OS is detected (RHBZ#702007) - Ensure the cirrus driver is installed if required (RHBZ#708961) - Remove unnecessary dep on perl(IO::Handle) - Fix conversion of xen guests using aio storage backend. - Suppress warning for chainloader grub entries. - Only configure a single scsi_hostadapter for converted VMware guests. [0.8.2-1] - Rebase to upstream release 0.8.2 [0.7.1-4] - Fix detection of Windows XP Pro x64 (RHBZ#679017) - Fix error message when converting Red Hat Desktop (RHBZ#678950) | ||
| Family: | unix | Class: | patch |
| Reference(s): | ELSA-2011-1615 CVE-2011-1773 | Version: | 3 |
| Platform(s): | Oracle Linux 6 | Product(s): | virt-v2v |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-07-09 | Name : RedHat Update for virt-v2v RHSA-2011:1615-03 File : nvt/gb_RHSA-2011_1615-03_virt-v2v.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 77558 | virt-v2v Guest Conversion VNC Password Local Authentication Bypass |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2011-1615.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing a security update. File : sl_20111206_virt_v2v_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2021-05-04 12:14:25 |
|
| 2021-04-22 01:15:41 |
|
| 2020-05-23 01:44:25 |
|
| 2020-05-23 00:28:25 |
|
| 2019-04-22 21:19:05 |
|
| 2016-06-28 18:38:50 |
|
| 2016-04-26 20:44:12 |
|
| 2014-02-17 11:02:07 |
|
| 2014-02-10 21:21:47 |
|
| 2014-02-08 13:18:56 |
|
