Description
vzctl before 4.9.4 determines the virtual environment (VE) layout based on the presence of root.hdd/DiskDescriptor.xml in the VE private directory, which allows local simfs container (CT) root users to change the root password for arbitrary ploop containers, as demonstrated by a symlink attack on the ploop container root.hdd file and then access a control panel.
References (4)
Core 4
Core References
Patch x_refsource_confirm
https://openvz.org/Download/vzctl/4.9.4
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201701-30
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3357
Exploit x_refsource_confirm
https://src.openvz.org/projects/OVZL/repos/vzctl/commits/9e98ea630ac0e88b44e3e23c878a5166aeb74e1c
Scores
EPSS
0.0050
EPSS Percentile
38.9%
Details
CWE
CWE-59
Status
published
Products (1)
openvz/vzctl
< 4.9.3
Published
Sep 28, 2015
Tracked Since
Feb 18, 2026