Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node
From: Tomaz Muraus <tomaz () apache org>
Date: Wed, 1 Jan 2014 17:56:20 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when
destroying a DigitalOcean node

Severity: Low

Vendor: Apache Software Foundation

Project: Apache Libcloud (http://libcloud.apache.org/)

Affected Versions: Apache Libcloud 0.12.3 to 0.13.3 (version prior to
0.12.3 don't include a DigitalOcean driver)

Description:

DigitalOcean recently changed the default API behavior from scrub to
non-scrub when destroying a VM.

Libcloud doesn't explicitly send "scrub_data" query parameter when
destroying a node. This means nodes which are destroyed using Libcloud
are vulnerable to later customers stealing data contained on them.

Note: Only users who are using DigitalOcean driver are affected by this issue.

References:

- - http://libcloud.apache.org/security.html
- - https://digitalocean.com/blog_posts/transparency-regarding-data-security
- - https://github.com/fog/fog/issues/2525

Mitigation:

This vulnerability has been fixed in version 0.13.3. Users who use
DigitalOcean driver are strongly encouraged to upgrade to this
release.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQJ8BAEBCgBmBQJSxEgAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5OTc4MjhEQzYyRjc1OUNFQTE4OUQ2NUUy
QzA3NTRCMkNFMDY5MkYzAAoJECwHVLLOBpLzbRcQAJqSobMiGfjpBQCGhda8zW62
6aPEjyuStv9FZ0/eLN6bxPCV8LdxOYy6M1oehr3ntT56Dd/lZ9+gwJunTH3UqWmq
ZqiwmME8JLhNTLC8tab+yE82lQlck2iXgTaJ5pZfXELFPiTEZ+DAQN26CpkA8bLO
cXAlMJkskPS6BkkgLDtLfO9RHe8T0QsEcHxQSwCpursiIlQEfjG3tQqG21KEvSm6
Q31qv87cZrG2pQPXEQ7Ir59E7Yos/7vEnG57wY/Xj94wKeKpHxnBUUL37BW+/tb1
qP29zZUol628HxowsGCN7xJPlXrcc4wc37rWja/UTcBWZGUk4EKTX9xXVs1jKuPB
lJqlGkEHglRcFI1AJLv9VkPBj77z6aEFu89bbJn8aZwAmPwnIBLZiJGp0LvqlVap
RYgV8SdLb1D4GxTDJJN76PLghMJdo1mEUwLbinr8JGH/MXzTkTUwgMCv7ks8ww7Q
hZp40rKDY+Su7VML6ONcnnvZTlAxCJM2lexD0svV8e3oXf/8lUzlnHCHQH8/TIrV
6DV4mj7Yg+HiR9Tj8+AMAAmC5l88Byl/+sJjAEdWBTKjzwiey5ocDX5s/aL12o+9
JX7vnFOWaGWf0pMeGuCl2gqtG+jFoEkr7BU7d0k7TvVFTQ0jTrrhVv9rbdIiJbK4
HXvdPzy/CBQt0tUGc6UT
=8Jgs
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node Tomaz Muraus (Jan 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault