CVE-2015-7544

First published: Wed Oct 07 2015(Updated: )

Alexander Wels of Red Hat reported vulnerability allowing anybody possessing SuperUser role on any Entity to remotely execute arbitrary code as root on any host in RHEV environment. The vulnerability is in the feature that allows to view logs that reside on the hosts from inside the UI by selecting the log from the UI. It happens as following: /* http request to /redhat-support-plugin- rhev/logs?path=<path+filename>&machine=<name of machine selected>/ /* servlet handles the request, and passes the <path+filename> to an ssh client class./ /* The ssh client connects to the selected machine and executes as root/ / 'stat - c %s ' + <path+filename>/ Nowhere in this sequence is the <path+filename> checked or validated. The only validation that happens is that the session associated with the request has the 'SuperUser' role. It doesn't matter what entity the role is on, it just has to have that role on any entity in the RHEV system. With fairly simple url parameter manipulation, an arbitrary code can be executed as root on any host in the RHEV system. Note that SuperUser on an Entity != ROOT on the hosts.

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/references
• agent/type
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/author
• agent/weakness
• agent/severity
• agent/last-modified-date
• agent/event
• agent/first-publish-date
• agent/description
• agent/tags
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2015-7544
• vendor/redhat
• canonical/redhat enterprise virtualization manager
• version/redhat enterprise virtualization manager/3.4
• version/redhat enterprise virtualization manager/3.4.1
• version/redhat enterprise virtualization manager/3.5.0