Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC

From:	Anthony Liguori
Subject:	Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings
Date:	Wed, 24 Aug 2011 07:55:38 -0500
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110516 Lightning/1.0b2 Thunderbird/3.1.10

On 08/24/2011 07:50 AM, Daniel P. Berrange wrote:

On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote:

On 08/24/2011 06:01 AM, Daniel P. Berrange wrote:

From: "Daniel P. Berrange"<address@hidden>

In CVE-2011-0011 it was noted that setting an empty password
would disable all authentication for the VNC password. Commit
1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this
but it just broke it in a different way, because now instead
of blindly disabling all authentication, it blindly resets all
authentication to 'VNC'.


But this is *not* a security problem.  Login becomes disabled as expected.


It *is* a security problem, because if you do

   change vnc password 123
   change vnc password ""
   change vnc password 456

you have lost the authentication settings you requested.

With this patch, changing the password to "" *still* disables
the login, without side effects on the auth scheme.

Just because it isn't doing what you expect it to do doesn't make it asecurity problem. This is the current behavior and you simply cannotwrite a management tool without being aware of this behavior for betteror worse.

The password change interface should not be overloaded to deal disablelogin. There should be a higher level QMP command to do this.

We should really not overload the semantics of the change command
like this and instead introduce a new QMP operation to disable
login.


This change I mention below is the one that overloaded the semantics
by making a password change, also change the auth scheme, breaking
the original behaviour.  If we want apps to be able to change the
auth scheme that needs a separate monitor command.

The current behaviour is not usable and introduces a security problem
by changing auth scheme without being asked to.

I'll buy an argument about usability but not about security. We need ahigher level command to disable login and a higher level command to setthe vnc password. This interface should be considered deprecated.


Regards,

Anthony Liguori

Daniel

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings, Daniel P. Berrange, 2011/08/24
- Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings, Anthony Liguori, 2011/08/24
  - Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings, Daniel P. Berrange, 2011/08/24
    - Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings, Anthony Liguori <=
    - Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings, Daniel P. Berrange, 2011/08/24
    - Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings, Gerd Hoffmann, 2011/08/24

Prev by Date: Re: [Qemu-devel] [PATCH 2/2] Added target to build libvdisk
Next by Date: Re: [Qemu-devel] [PATCH 1/2] pc: make vgabios exit port more useful
Previous by thread: Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings
Next by thread: Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings
Index(es):
- Date
- Thread