[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings |
Date: |
Wed, 24 Aug 2011 14:02:25 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Wed, Aug 24, 2011 at 07:55:38AM -0500, Anthony Liguori wrote:
> On 08/24/2011 07:50 AM, Daniel P. Berrange wrote:
> >On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote:
> >>On 08/24/2011 06:01 AM, Daniel P. Berrange wrote:
> >>>From: "Daniel P. Berrange"<address@hidden>
> >>>
> >>>In CVE-2011-0011 it was noted that setting an empty password
> >>>would disable all authentication for the VNC password. Commit
> >>>1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this
> >>>but it just broke it in a different way, because now instead
> >>>of blindly disabling all authentication, it blindly resets all
> >>>authentication to 'VNC'.
> >>
> >>But this is *not* a security problem. Login becomes disabled as expected.
> >
> >It *is* a security problem, because if you do
> >
> > change vnc password 123
> > change vnc password ""
> > change vnc password 456
> >
> >you have lost the authentication settings you requested.
> >
> >With this patch, changing the password to "" *still* disables
> >the login, without side effects on the auth scheme.
>
> Just because it isn't doing what you expect it to do doesn't make it
> a security problem. This is the current behavior and you simply
> cannot write a management tool without being aware of this behavior
> for better or worse.
This was *not* the behaviour for many releases. It is a regression
against the original behaviour of the change vnc password in QEMU
which we had succesfully worked with in libvirt since password+TLS
support was written for QEMU. The current behaviour is unusably
broken. It cannot be used without creating a security problem, where
as the original QEMU behaviour was succesfully usable. Simply saying
that we must create a new command, instead of fixing the QEMU regression
does nothing to help existing apps which are expecting current QEMU
releases to work as previous releases did & as the command is
*documented* :
http://qemu.weilnetz.de/qemu-doc.html#vnc_005fsec_005fcertificate_005fpw
[quote]
3.11.5 With x509 certificates, client verification and passwords
Finally, the previous method can be combined with VNC password authentication
to provide two layers of authentication for clients.
qemu [...OPTIONS...] -vnc :1,password,tls,x509verify=/etc/pki/qemu -monitor
stdio
(qemu) change vnc password
Password: ********
(qemu)
[/quote]
This documented example no longer works because authentication is being
silently reset.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|