Title

Virtual machine rollbacks are performed when virtual machine is connected to the network. (Cat III impact)

Discussion

Virtual machines may be rolled back to a previous state. Rolling back a virtual machine can re-expose patched vulnerabilities, re-enable previously disabled accounts or passwords, remove log files of a machine, use previously retired encryption keys, and change firewalls to expose vulnerabilities. Rolling back virtual machines can also reintroduce malicious code, and protocols reusing TCP sequence numbers that had been previously removed, which could allow TCP hijacking attacks.

Check Content

Ask the IAO/SA the process used for virtual machine rollbacks. If no process is used that includes disconnecting the virtual machine from the network before performing a revert to snapshot or rollback, this is a finding.

Fix Text

Disconnect from the network or power off the virtual machine before rollbacks.

Additional Identifiers

Rule ID: SV-16847r1_rule

Vulnerability ID: V-15905

Group Title: Virtual machine rollbacks are performed

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.