From: Anthony Liguori <anthony@codemonkey.ws>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings
Date: Wed, 24 Aug 2011 07:55:38 -0500 [thread overview]
Message-ID: <4E54F4CA.1000809@codemonkey.ws> (raw)
In-Reply-To: <20110824125040.GG12120@redhat.com>
On 08/24/2011 07:50 AM, Daniel P. Berrange wrote:
> On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote:
>> On 08/24/2011 06:01 AM, Daniel P. Berrange wrote:
>>> From: "Daniel P. Berrange"<berrange@redhat.com>
>>>
>>> In CVE-2011-0011 it was noted that setting an empty password
>>> would disable all authentication for the VNC password. Commit
>>> 1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this
>>> but it just broke it in a different way, because now instead
>>> of blindly disabling all authentication, it blindly resets all
>>> authentication to 'VNC'.
>>
>> But this is *not* a security problem. Login becomes disabled as expected.
>
> It *is* a security problem, because if you do
>
> change vnc password 123
> change vnc password ""
> change vnc password 456
>
> you have lost the authentication settings you requested.
>
> With this patch, changing the password to "" *still* disables
> the login, without side effects on the auth scheme.
Just because it isn't doing what you expect it to do doesn't make it a
security problem. This is the current behavior and you simply cannot
write a management tool without being aware of this behavior for better
or worse.
The password change interface should not be overloaded to deal disable
login. There should be a higher level QMP command to do this.
>
>> We should really not overload the semantics of the change command
>> like this and instead introduce a new QMP operation to disable
>> login.
>
> This change I mention below is the one that overloaded the semantics
> by making a password change, also change the auth scheme, breaking
> the original behaviour. If we want apps to be able to change the
> auth scheme that needs a separate monitor command.
>
> The current behaviour is not usable and introduces a security problem
> by changing auth scheme without being asked to.
I'll buy an argument about usability but not about security. We need a
higher level command to disable login and a higher level command to set
the vnc password. This interface should be considered deprecated.
Regards,
Anthony Liguori
> Daniel
next prev parent reply other threads:[~2011-08-24 12:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-24 11:01 [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings Daniel P. Berrange
2011-08-24 12:45 ` Anthony Liguori
2011-08-24 12:50 ` Daniel P. Berrange
2011-08-24 12:55 ` Anthony Liguori [this message]
2011-08-24 13:02 ` Daniel P. Berrange
2011-08-24 14:52 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E54F4CA.1000809@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.