eva.tuczai

Security Notice: Directory Traversal and Injection Vulnerabilities Fixed

Blog Post created by eva.tuczai on Jul 28, 2014

Security vulnerability was found, and VMTurbo has produced a fix.  This post describes the issue and how to obtain the fix.

 

Background

1. (CVE: 2014-3806) A directory traversal vulnerability in a script used by the VMTurbo help system allows an attacker to read any file on the VMTurbo virtual machine. Affects VMTurbo Operations Manager versions 4.5 and earlier.

Thanks to Jamal Pecou of Security Focus (https://www.securityfocus.com/) for reporting this issue.

 

2. (No CVE assigned yet; Secunia Advisory SA58880) An OS command injection vulnerability allows an attacker to run arbitrary shell commands with the privileges of the "wwwrun" user. Affects VMTurbo Operations Manager version 4.5 and earlier, as well as version 4.6 prior to revision 28647.

Thanks to Emilio Pinna of Secunia Research (http://secunia.com) for reporting this issue.

 

Resolution

VMTurbo Engineering has produced a fix. Upgrading to Operations Manager version 4.6-28647 or newer will resolve both issues.  Please refer to this KB Article on the VMTurbo Support Website

Outcomes