cbcvebase.
CVE-2015-7945
published 2017-08-18

CVE-2015-7945: The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before…

PriorityP260high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
9.36%
94.8th percentile
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.

Affected

34 ranges· showing 25
VendorProductVersion rangeFixed in
debianganeti< ganeti 2.15.2-1 (bookworm)ganeti 2.15.2-1 (bookworm)
spi-incganeti<= 2.9.6
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti
spi-incganeti

Detection & IOCsextracted from sources · hover to see the quote

port5080
path/2/networks/
path/2/jobs/
path/var/lib/ganeti/config.data
processganeti-rapi
  • Monitor unauthenticated HTTP/HTTPS requests to the Ganeti RAPI daemon on port 5080, specifically enumeration of /2/jobs/* and /2/instances/* endpoints which can leak DRBD secrets and osparams_secret from job results.
  • Detect repeated SSL renegotiation attempts against port 5080 (ganeti-rapi); a single thread can drive ganeti-rapi CPU to ~75%, multiple threads will exhaust all CPUs — alert on high CPU usage by the ganeti-rapi process combined with inbound TLS renegotiation traffic.
  • Look for the GHETTO-BLASTER tool or its output file patterns (e.g., files named 2-jobs-*, 2-instances-*, 2-networks*, 1-list-collectors, 1-report-all, 2-features, 2-info) on attacker-controlled hosts or in forensic artefacts.
  • Flag access to the osparams_secret field in RAPI job result responses, as it is readable without authentication via the RAPI daemon.
  • The Ganeti RAPI daemon listens on every interface by default; detect external/internet-sourced connections to TCP port 5080 as anomalous.
  • ·The RAPI daemon (ganeti-rapi) listens on all interfaces by default, making it reachable without authentication from any network unless explicitly restricted.
  • ·The DRBD secret key is stored in /var/lib/ganeti/config.data and is exposed via unauthenticated RAPI job result queries only when DRBD is in use; deployments without DRBD are not affected by the secret-leak aspect.
  • ·Secure Renegotiation being supported on the RAPI TLS endpoint is a prerequisite for the SSL DoS vector (CVE-2015-7944); verify whether your Ganeti/OpenSSL build has this enabled.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.