Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Cloud

+ - Multiple Rackspace Security Vulnerabilities Discovered

Submitted by
philip.paradis
philip.paradis writes "According to materials published today, several Rackspace cloud security vulnerabilities have been discovered. Problems with a Rackspace-supplied agent running on cloud servers have been documented, along with a much more severe issue with the method Rackspace has used to generate default root passwords for cloud servers. In short, root password hashes were generated using a legacy hashing function (resulting in cryptographically weaker hashes to start with) and used the system hostname as the first portion of the password.

Thus, cloud servers deployed in this manner would only consider the first eight characters of the root password significant, potentially allowing an attacker with simple knowledge of this weakness and the system's hostname to remotely log in via SSH as root. As hostnames are easily determined by a number of means, the potential for damage is significant. Additionally, evidences exists that Rackspace is storing customer root passwords internally in a recoverable format.

These issues were reported to the company, as described in the previously published Rackspace cloud security pre-advisory. To date, Rackspace has apparently mitigated some of the issues for newly deployed instances, but serious questions remain regarding the integrity of servers in the wild which were deployed using the flawed methods. As the company is a large hosting provider with well known IP space, and the time at which these problems were first manifested is unknown, the number of vulnerable servers could be significant."
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Multiple Rackspace Security Vulnerabilities Discovered

Comments Filter:

Q: How many IBM CPU's does it take to execute a job? A: Four; three to hold it down, and one to rip its head off.

Working...