CVE-2016-6338 in Enterprise Virtualization Manager
Summary
by MITRE
ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/18/2020
The vulnerability identified as CVE-2016-6338 affects the ovirt-engine-webadmin component within Red Hat Enterprise Virtualization Manager systems, specifically impacting versions used in RHEV-M for Servers and RHEV-M 4.0. This security flaw represents a session management weakness that enables attackers with physical proximity to circumvent established webadmin session timeout restrictions. The vulnerability stems from improper handling of user interface selections that trigger repetitive query mechanisms, creating a persistent authentication state that should have been terminated according to security policies.
The technical exploitation of this vulnerability occurs through physical proximity attacks where an attacker can manipulate the user interface selections within the webadmin console. When specific UI elements are selected, they initiate background processes that continuously query the system, maintaining an active session state despite the intended timeout mechanisms. This behavior violates standard session management protocols and creates a persistent access vector that undermines the security controls designed to protect administrative sessions from unauthorized prolonged access. The flaw demonstrates poor input validation and session lifecycle management within the web administration interface.
From an operational impact perspective, this vulnerability significantly increases the risk of unauthorized administrative access in environments where physical security controls may be insufficient. Attackers can maintain persistent access to critical system administration functions for extended periods, potentially leading to complete system compromise and unauthorized modifications to virtualization infrastructure configurations. The vulnerability particularly affects organizations that deploy RHEV-M systems in environments where physical access controls are not strictly enforced, as the attack requires only proximity rather than sophisticated network-based exploitation techniques. This makes the vulnerability particularly concerning for data centers and server environments where unauthorized physical access might occur.
The vulnerability aligns with CWE-613, which addresses insufficient session expiration, and relates to ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing with social engineering. Organizations should implement immediate mitigations including updating to patched versions of RHEV-M, enforcing strict physical access controls, and monitoring for suspicious administrative session patterns. Additional protective measures include implementing shorter session timeout values, deploying automated session termination mechanisms, and conducting regular security assessments of physical access controls. The vulnerability underscores the importance of comprehensive session management policies and highlights the need for robust physical security measures in virtualization environments where administrative access can have widespread system impact.