Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Red Hat: 2013:0849-01: KVM image: Important Advisory Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux The Red Hat Enterprise Linux 6.4 KVM Guest Image for cloud instances had an empty root password by default. The Red Hat Security Response Team has rated this update as having [More...]
                   Red Hat Security Advisory

Synopsis:          Important: KVM image security update
Advisory ID:       RHSA-2013:0849-01
Product:           Red Hat Common
Advisory URL:
Issue date:        2013-05-23
CVE Names:         CVE-2013-2069 

1. Summary:

The Red Hat Enterprise Linux 6.4 KVM Guest Image for cloud instances had
an empty root password by default.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

2. Description:

Red Hat provides a Red Hat Enterprise Linux 6.4 KVM Guest Image for
cloud instances. This image is provided as a minimally configured system
image which is available for use as-is or for configuration and
customization as required by end users.

The Red Hat Enterprise Linux 6.4 KVM Guest Image for cloud instances had an
empty root password by default. To address this, Red Hat has created an
updated image that locks the root password by default. This updated image
is now available on RHN.

To correct existing Red Hat Enterprise Linux 6.4 KVM Guest Images, any
images or systems built using this Red Hat Enterprise Linux 6.4 KVM Guest
Image, or any currently running Red Hat Enterprise Linux instances
instantiated from this image, users can lock the root password by issuing,
as root, the command:

passwd -l root

Note: The default OpenSSH configuration disallows password logins when
the password is empty, preventing a remote attacker from logging in
without a password.

Root Cause

Kickstart can be used to automate operating system installations. A
Kickstart file specifies settings for an installation. Once the
installation system boots, it can read a Kickstart file and carry out the
installation process without any further input from a user. Kickstart is
used as part of the process of creating Images of Red Hat Enterprise Linux
for cloud providers.

It was discovered that when no 'rootpw' command was specified in a
Kickstart file, the image creator tools gave the root user an empty
password rather than leaving the password locked, which could allow a local
user to gain access to the root account (CVE-2013-2069).

We have corrected this issue by updating the Kickstart file used to build
affected images to lock the password file.

This issue was caused by the way a tool was used to create Images, and not
due to a security vulnerability in Red Hat Enterprise Linux.

To import the image into an OpenStack environment, download the image from
Red Hat Network to a system that has the python-glanceclient package
installed. Refer to the OpenStack Getting Started Guide, linked to in the
References, for information on importing the image into an OpenStack
environment. After successfully importing, it is also highly recommended
that the "glance delete" command is used to delete any previous versions of
the image that exist in the Glance image registry.

3. Solution:

The updated image is available from RHN, linked to in the References.

4. Bugs fixed (

964299 - CVE-2013-2069 livecd-tools: improper handling of passwords

5. References:

6. Contact:

The Red Hat security contact is .  More contact
details at

Copyright 2013 Red Hat, Inc.
< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Feds Charged With Stealing Money During Silk Road Investigation
EFF questions US government's software flaw disclosure policy
Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.