[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2013-6795 Vulnerability in the Rackspace Windows Agent and Updater

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2013-6795 Vulnerability in the Rackspace Windows Agent and Updater
From: andrew@xxxxxxxxxxxxxxxx
Date: Fri, 22 Nov 2013 14:27:33 GMT

A vulnerability in the Rackspace Windows Agent and Updater was discovered that
allows for modified Agent binaries to be remotely uploaded (without
authentication) to Rackspace Cloud Server guest instances. Modified Agent
binaries are processed as an update for the Agent and arbitrary code can then
be executed after the service is restarted. CloudPassage disclosed the
vulnerability to Rackspace and CVE-2013-6795 was issued by MITRE Corporation.

The Windows Agent and Updater is used by Windows Cloud Server instances on
OpenStack Nova to handle boot configurations for Windows guests running on the
Xen hypervisor. The agent was created by Rackspace for their Windows instances
and both the Agent and Updater services run under the LocalSystem account.

Previous versions of the Updater (before 1.2.6.0) allowed for unsigned agent
updates utilizing a specially crafted .NET remote call to TCP port 1984. The
Update service takes a single .NET serializable object with a URL and an MD5
checksum. Once the sequence is triggered, a ZIP file is downloaded, verified
using the checksum, and extracted into the program folder of the Agent service
before the service is restarted. No authentication is performed by the .NET
remoting service, making it possible to deploy a modified Agent update that
overwrites the running Agent service binary. A proof of concept tool was
developed to trigger the sequence with an arbitrary download URL using the
original .NET libraries from a target.

Full details here:
http://blog.cloudpassage.com/2013/11/18/cve-2013-6795-vulnerability-rackspace-windows-agent-updater/

CloudPassage responsibly disclosed the finding to Rackspace and, as of version
1.2.6.0, the Updater has been changed to use IPC with XenStore and no longer
listens on port 1984. Rackspace recommends that users running the Windows agent
less than version 1.2.6.1 update to the latest version, available on GitHub at
https://github.com/rackerlabs/openstack-guest-agents-windows-xenserver.

Prev by Date: [SECURITY] [DSA 2802-1] nginx security update
Next by Date: Unauthorized console access on Satechi travel router v1.5
Previous by thread: [SECURITY] [DSA 2802-1] nginx security update
Next by thread: Unauthorized console access on Satechi travel router v1.5
Index(es):
- Date
- Thread