Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Gentoo Linux Security Advisory 201512-4 – Multiple vulnerabilities have been found in OpenSSH, the worst of which could lead to arbitrary code execution, or cause a Denial of Service condition. Versions less than 7.1_p1-r2 are affected.

Red Hat Security Advisory 2015-2673-01 – OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances and controlling access through users and projects. A vulnerability was discovered in the way OpenStack Compute networking handled security group updates; changes were not applied to already running VM instances. A remote attacker could use this flaw to access running VM instances.

Red Hat Security Advisory 2015-2650-01 – Red Hat Enterprise Linux OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service cloud based on Red Hat Enterprise Linux OpenStack Platform. It was discovered that the director’s NeutronMetadataProxySharedSecret parameter remained specified at the default value of ‘unset’. This value is used by OpenStack Networking to sign instance headers; if unchanged, an attacker knowing the shared secret could use this flaw to spoof OpenStack Networking metadata requests.

Red Hat Security Advisory 2015-2685-01 – OpenStack Bare Metal is a tool used to provision bare metal machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific functionality. It was discovered that enabling debug mode in openstack-ironic-discoverd also enabled debug mode in the underlying Flask framework. If errors were encountered while Flask was in debug mode, a user experiencing an error might be able to access the debug console.

HP Security Bulletin HPSBGN03527 1 – A potential security vulnerability has been identified with HPE Helion Eucalyptus. The vulnerability could be exploited to bypass access permissions by a remote authenticated user. Notes: – In Eucalyptus, following the AWS model, IAM roles are used to temporarily allow users or services to access resources within or across accounts. Access to roles is determined by the role.s trust policy and a set of user permissions. The trust policy is associated with a role and defines which accounts or services are allowed to assume the role. User permissions are defined by the policy associated with the user, and define a set of actions and resources that the user is allowed to access. – An issue has been identified in how Eucalyptus checks user permissions when allowing a user to assume a role. Given that the grant policy allows the user.s account to assume the role, any user in that account would be able to assume the role, even if the user.s policy does not explicitly grant the AssumeRole permission for the role. As a result, in some cases authenticated users could gain privileges by assuming an IAM role that they were not intended to have access to. The impact is mitigated by the fact that the role.s trust policy still has to explicitly authorize the user.s account to access the role. Revision 1 of this advisory.