Ubuntu 13.10 / 14.04 LTS : neutron vulnerabilities (USN-2255-1)

Ubuntu Security Notice (C) 2014-2016 Canonical, Inc. / NASL script (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Darragh O'Reilly discovered that the Ubuntu packaging for OpenStack
Neutron did not properly set up its sudo configuration. If a different
flaw was found in OpenStack Neutron, this vulnerability could be used
to escalate privileges. (CVE-2013-6433)

Stephen Ma and Christoph Thiel discovered that the openvswitch-agent
in OpenStack Neutron did not properly perform input validation when
creating security group rules when specifying --remote-ip-prefix. A
remote authenticated attacker could exploit this to prevent
application of additional rules. (CVE-2014-0187)

Thiago Martins discovered that OpenStack Neutron would inappropriately
apply SNAT rules to IPv6 subnets when using the L3-agent. A remote
authenticated attacker could exploit this to prevent floating IPv4
addresses from being attached throughout the cloud. (CVE-2014-4167).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected python-neutron package.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 76250 ()

Bugtraq ID: 67012
67804
68064

CVE ID: CVE-2013-6433
CVE-2014-0187
CVE-2014-4167

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial