CVE-2014-0592

Barclamp (aka barclamp-network) 1.7 for the Crowbar Framework, as used in SUSE Cloud 3, does not enable netfilter on bridges when creating new instances, which allows remote attackers to bypass security group restrictions via unspecified vectors, related to floating IPs.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00025.html	Patch Vendor Advisory
http://secunia.com/advisories/57509	Vendor Advisory
http://www.securityfocus.com/bid/66519
https://bugzilla.novell.com/show_bug.cgi?id=864183
https://github.com/crowbar/barclamp-network/pull/269

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:crowbar:barclamp:1.7:*:*:*:*:*:*:*

cpe:2.3:a:novell:suse_cloud:3.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-04-04 14:55

Updated : 2014-04-04 16:20

NVD link : CVE-2014-0592

Mitre link : CVE-2014-0592

CVE.ORG link : CVE-2014-0592

JSON object : View

Products Affected

crowbar

barclamp

novell

suse_cloud

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2014-0592", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-04-04T14:55:19.717", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00025.html", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/57509", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/66519", "source": "cve@mitre.org"}, {"url": "https://bugzilla.novell.com/show_bug.cgi?id=864183", "source": "cve@mitre.org"}, {"url": "https://github.com/crowbar/barclamp-network/pull/269", "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "Barclamp (aka barclamp-network) 1.7 for the Crowbar Framework, as used in SUSE Cloud 3, does not enable netfilter on bridges when creating new instances, which allows remote attackers to bypass security group restrictions via unspecified vectors, related to floating IPs."}, {"lang": "es", "value": "Barclamp (tambi\u00e9n conocido como barclamp-network) 1.7 para el framework de Crowbar, utilizado en SUSE Cloud 3, no habilita netfilter en puentes cuando crea instancias nuevas, lo que permite a atacantes remotos evadir restricciones de seguridad de grupo a trav\u00e9s de vectores no especificados, relacionado con IPs flotantes."}], "lastModified": "2014-04-04T16:20:45.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:crowbar:barclamp:1.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4CA6A01-B458-47DF-80EF-C60731538950"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:novell:suse_cloud:3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D546977E-A7CD-4BF3-BE2D-377C594AE736"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}