CVE-2015-7945
published 2017-08-18CVE-2015-7945: The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before…
PriorityP260high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
9.36%
94.8th percentile
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ganeti | < ganeti 2.15.2-1 (bookworm) | ganeti 2.15.2-1 (bookworm) |
| spi-inc | ganeti | <= 2.9.6 | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
| spi-inc | ganeti | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor unauthenticated HTTP/HTTPS requests to the Ganeti RAPI daemon on port 5080, specifically enumeration of /2/jobs/* and /2/instances/* endpoints which can leak DRBD secrets and osparams_secret from job results. ↗
- →Detect repeated SSL renegotiation attempts against port 5080 (ganeti-rapi); a single thread can drive ganeti-rapi CPU to ~75%, multiple threads will exhaust all CPUs — alert on high CPU usage by the ganeti-rapi process combined with inbound TLS renegotiation traffic. ↗
- →Look for the GHETTO-BLASTER tool or its output file patterns (e.g., files named 2-jobs-*, 2-instances-*, 2-networks*, 1-list-collectors, 1-report-all, 2-features, 2-info) on attacker-controlled hosts or in forensic artefacts. ↗
- →Flag access to the osparams_secret field in RAPI job result responses, as it is readable without authentication via the RAPI daemon. ↗
- →The Ganeti RAPI daemon listens on every interface by default; detect external/internet-sourced connections to TCP port 5080 as anomalous. ↗
- ·The RAPI daemon (ganeti-rapi) listens on all interfaces by default, making it reachable without authentication from any network unless explicitly restricted. ↗
- ·The DRBD secret key is stored in /var/lib/ganeti/config.data and is exposed via unauthenticated RAPI job result queries only when DRBD is in use; deployments without DRBD are not affected by the secret-leak aspect. ↗
- ·Secure Renegotiation being supported on the RAPI TLS endpoint is a prerequisite for the SSL DoS vector (CVE-2015-7944); verify whether your Ganeti/OpenSSL build has this enabled. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2rx4-8xc8-6hf3: The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2
ghsa_unreviewed·2022-05-13
CVE-2015-7945 [HIGH] CWE-200 GHSA-2rx4-8xc8-6hf3: The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.
OSV
CVE-2015-7945: The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2
osv·2017-08-18·CVSS 7.5
CVE-2015-7945 [HIGH] CVE-2015-7945: The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.
Debian
CVE-2015-7945: ganeti - The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, ...
vendor_debian·2015·CVSS 7.5
CVE-2015-7945 [HIGH] CVE-2015-7945: ganeti - The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, ...
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.
Scope: local
bookworm: resolved (fixed in 2.15.2-1)
bullseye: resolved (fixed in 2.15.2-1)
sid: resolved (fixed in 2.15.2-1)
trixie: resolved (fixed in 2.15.2-1)
No detection rules found.
http://docs.ganeti.org/ganeti/2.10/html/news.html#version-2-10-8http://docs.ganeti.org/ganeti/2.11/html/news.html#version-2-11-8http://docs.ganeti.org/ganeti/2.12/html/news.html#version-2-12.6http://docs.ganeti.org/ganeti/2.13/html/news.html#version-2-13-3http://docs.ganeti.org/ganeti/2.14/html/news.html#version-2-14-2http://docs.ganeti.org/ganeti/2.15/html/news.html#version-2-15-2http://docs.ganeti.org/ganeti/2.9/html/news.html#version-2-9-7http://packetstormsecurity.com/files/135101/Ganeti-Leaked-Secret-Denial-Of-Service.htmlhttp://www.debian.org/security/2016/dsa-3431http://www.ocert.org/advisories/ocert-2015-012.htmlhttps://www.exploit-db.com/exploits/39169/http://docs.ganeti.org/ganeti/2.10/html/news.html#version-2-10-8http://docs.ganeti.org/ganeti/2.11/html/news.html#version-2-11-8http://docs.ganeti.org/ganeti/2.12/html/news.html#version-2-12.6http://docs.ganeti.org/ganeti/2.13/html/news.html#version-2-13-3http://docs.ganeti.org/ganeti/2.14/html/news.html#version-2-14-2http://docs.ganeti.org/ganeti/2.15/html/news.html#version-2-15-2http://docs.ganeti.org/ganeti/2.9/html/news.html#version-2-9-7http://packetstormsecurity.com/files/135101/Ganeti-Leaked-Secret-Denial-Of-Service.htmlhttp://www.debian.org/security/2016/dsa-3431http://www.ocert.org/advisories/ocert-2015-012.htmlhttps://www.exploit-db.com/exploits/39169/
2017-08-18
Published