PT-2019-6504 · Red Hat · Rhev-M Vdc+1

Yaniv Kaul

Published

2019-11-09

Updated

2019-11-12

CVE-2009-3552

CVSS v2.0

2.9

Low

Vector

AV:A/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions RHEV-M VDC version 2.2.0

Description The issue is related to the lack of SSL certificate verification when using the client-side Red Hat Enterprise Virtualization Manager interface to connect to the Red Hat Enterprise Virtualization Manager. This could allow an attacker on the local network to conduct a man-in-the-middle attack, potentially tricking the user into viewing attacker-controlled content or modifying user-requested actions.

Recommendations For RHEV-M VDC version 2.2.0, consider disabling the use of the client-side Red Hat Enterprise Virtualization Manager interface until a patch is available to verify SSL certificates and prevent man-in-the-middle attacks. Restrict access to the Red Hat Enterprise Virtualization Manager to minimize the risk of exploitation.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2009-3552

Affected Products

Rhev-M Vdc

Red Hat Enterprise Virtualization Manager

PT-2019-6504 · Red Hat · Rhev-M Vdc+1

CVE-2009-3552

Weakness Enumeration

Related Identifiers

Affected Products

References · 5