Nick Barcet

**Name of the Vulnerable Software and Affected Versions** VMBuilder version 0.9 **Description** The issue concerns the python-vm-builder and ubuntu-vm-builder implementations in VMBuilder. These implementations omit the -e option when invoking chpasswd with a root:! argument. As a result, the root account is configured with a cleartext password of !, allowing attackers to bypass intended login restrictions. **Recommendations** For VMBuilder version 0.9, consider updating to a newer version that includes the -e option when invoking chpasswd to prevent the configuration of the root account with a cleartext password. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ubuntu versions 6.06 LTS, 7.10, 8.04 LTS, and 8.10 **Description** The issue allows attackers to bypass intended login restrictions due to the default root password being set to `!` (exclamation point) when Ubuntu is installed as a virtual machine using python-vm-builder or ubuntu-vm-builder in VMBuilder 0.9 in Ubuntu 8.10. **Recommendations** For Ubuntu versions 6.06 LTS, 7.10, 8.04 LTS, and 8.10, change the default root password to a secure password to prevent unauthorized access.