PT-2016-2288 · Solarwinds · Solarwinds Virtualization Manager

Nate Kettlewell

Published

2016-06-24

Updated

2016-11-30

CVE-2016-5709

CVSS v3.1

4.7

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions SolarWinds Virtualization Manager versions 6.3.1 and earlier

Description The issue exists due to weak encryption used for storing passwords. This allows a local attacker to obtain user passwords using a brute force attack. The estimated number of potentially affected devices is not specified.

Recommendations For SolarWinds Virtualization Manager versions 6.3.1 and earlier, consider restricting access to the /etc/shadow file to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit local user privileges with superuser access to reduce the potential for brute force attacks on stored passwords.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

BDU:2016-01677

CVE-2016-5709

Affected Products

Solarwinds Virtualization Manager

PT-2016-2288 · Solarwinds · Solarwinds Virtualization Manager

CVE-2016-5709

Weakness Enumeration

Related Identifiers

Affected Products

References · 5