CaféX Critical Issue Bulletin 013 - Vulnerability in Supervisor Assist and Chime OVAs

Introduction

A critical security vulnerability has been found in the base operating system image that is used for all CafêX Chime and Supervisor Assist OVAs. This will affect all OVA-based installs of Supervisor Assist and Chime.

Description

The base OVA image includes an OS user that was used by CafêX processes to launch VMs. An OS-level user was required that could execute commands as root in order to perform post-install functions.  If you know that the OS user exists and where to find the key, then you can get root access to the instance without requiring any further authentication.
 
It is highly unlikely that the SSH service is accessabile from outside of the green zone for any customer installs, but we view this is a serious security issue that needs to be resolved.
  
Resolution
 
Please download a copy of the deleteUser.sh script from customer.cafex.com and execute it on your server (or request it from support@cafex.com).

scp -i server.pem deleteUser.sh  user@cs-server.cafex.com:/home/user/

ssh -i server.pem user@cs-server.cafex.com

#sudo -s

#cp /home/user/deleteUser.sh /root/

#chmod +x /root/deleteUser.sh

#cd /root

# ./deleteUser.sh --yes

This script will forcibly delete the OS user and their home directory.
Have more questions? Submit a request

Comments

Powered by Zendesk