Weak Password Encryption in SolarWinds Virtualization Manager
CVE-2016-5709

4.7MEDIUM

Key Information:

Vendor: Solarwinds
Status: Virtualization Manager
Vendor: CVE Published:; 24 June 2016

What is CVE-2016-5709?

SolarWinds Virtualization Manager prior to version 6.3.1 utilizes a weak encryption mechanism to store passwords in the /etc/shadow file. This serious oversight permits local users with superuser privileges to potentially retrieve these passwords through brute force attacks, compromising the security of the system and its users.

References

http://packetstormsecurity.com/files/137525/Solarwinds-Vi...

x_refsource_MISC

http://seclists.org/fulldisclosure/2016/Jun/38

mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2016
Vulnerability Reserved
Jun 16, 2016