low

Predictible seed in Anthos Identity Service LDAP module

Published Wed, Sep 22nd, 2021
Platforms

Summary

A vulnerability was discovered in the Anthos Identity Service (AIS) LDAP module of Anthos clusters on VMware versions 1.8 and 1.8.1 where a seed key used in generating keys is predictable. With this vulnerability, an authenticated user could add arbitrary claims and escalate privileges indefinitely.

Affected Services

Anthos

Remediation

Upgrade your clusters to version 1.8.2.

Tracked CVEs

No tracked CVEs

References

Contributed by https://github.com/ramimac
Disclosure Date
-
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
-

More vulnerabilities...

high

AWS Workspace client RCE

If a user with AWS WorkSpaces 3.0.10-3.1.8 installed visits a page in their web browser with attacker controlled content, the attacker can get zero click RCE under common circumstances.

...
David Yesland, Rhino Security

medium

GCP IAP bypass

Convincing a victim to click a specially crafted link would allow the attacker to bypass the Identity-Aware Proxy (a core component of BeyondCorp).

Unknown

medium

Azure privilege escalation via Log Analytics role

Azure AD users could escalate their privileges using the Log Analytics Contributor role to reach the full Subscription Contributor role.

...
Karl Fosaaen, NetSPI

View all