This issue was found in vdsm that allowed the storage of the values of sensitive vdsm functions in the log files.

These values may then be exposed in the logs of other VMs, possibly allowing attackers to determine the names of other VMs on the same physical host, allowing them to be targeted with further attacks.
In vdsm a race condition was found that could allow malicious code to be executed on the host machine. This issue was found in vdsm that could allow malicious code to be executed on the host machine.
In vdsm a code path was found where a malicious user could obtain host OS privileges. In VDSM a code path was found where a malicious user could obtain host OS privileges.

What is VDSM?

VDSM is the Virtual Data Storage Manager. It is a program that manages storage in virtual machines on a physical host machine such as vdsm.
This issue was found in VDSM, which may allow malicious code to be executed on the host machine. In VDSM, a race condition was found that could allow malicious code to be executed on the host machine. In VDSM, a code path was found where a malicious user could obtain host OS privileges.
The following bulletin has been published to address this CVE:

References:

- https://www.kb.cert.org/vuls/id/2022-0207
- https://blog.thawte.com/2018/02/07/summary-of-recent-vulnerability-reports

Vulnerability Dissection

CERT-VULN-22211 - VDSM Information Disclosure and Privilege Escalation

This issue was found in vdsm that allowed the storage of the values of sensitive vdsm functions in the log files. These values may then be exposed in the logs of other VMs, possibly allowing attackers to determine the names of other VMs on the same physical host, allowing them to be targeted with further attacks. In vdsm a race condition was found that could allow malicious code to be executed on the host machine. This issue was found in vdsm that could allow malicious code to be executed on the host machine. In vdsm a code path was found where a malicious user could obtain host OS privileges.

Timeline

Published on: 08/26/2022 18:15:00 UTC
Last modified on: 09/01/2022 14:54:00 UTC

References