Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings

["Daniel P. Berrange" <berrange@redhat.com>]

On Wed, Aug 24, 2011 at 07:55:38AM -0500, Anthony Liguori wrote:
> On 08/24/2011 07:50 AM, Daniel P. Berrange wrote:
> >On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote:
> >>On 08/24/2011 06:01 AM, Daniel P. Berrange wrote:
> >>>From: "Daniel P. Berrange"<berrange@redhat.com>
> >>>
> >>>In CVE-2011-0011 it was noted that setting an empty password
> >>>would disable all authentication for the VNC password. Commit
> >>>1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this
> >>>but it just broke it in a different way, because now instead
> >>>of blindly disabling all authentication, it blindly resets all
> >>>authentication to 'VNC'.
> >>
> >>But this is *not* a security problem.  Login becomes disabled as expected.
> >
> >It *is* a security problem, because if you do
> >
> >   change vnc password 123
> >   change vnc password ""
> >   change vnc password 456
> >
> >you have lost the authentication settings you requested.
> >
> >With this patch, changing the password to "" *still* disables
> >the login, without side effects on the auth scheme.
> 
> Just because it isn't doing what you expect it to do doesn't make it
> a security problem.  This is the current behavior and you simply
> cannot write a management tool without being aware of this behavior
> for better or worse.

This was *not* the behaviour for many releases. It is a regression
against the original behaviour of the change vnc password in QEMU
which we had succesfully worked with in libvirt since password+TLS
support was written for QEMU. The current behaviour is unusably
broken. It cannot be used without creating a security problem, where
as the original QEMU behaviour was succesfully usable. Simply saying
that we must create a new command, instead of fixing the QEMU regression
does nothing to help existing apps which are expecting current QEMU
releases to work as previous releases did & as the command is
*documented* :

  http://qemu.weilnetz.de/qemu-doc.html#vnc_005fsec_005fcertificate_005fpw

  [quote]
  3.11.5 With x509 certificates, client verification and passwords

  Finally, the previous method can be combined with VNC password authentication to provide two layers of authentication for clients.

  qemu [...OPTIONS...] -vnc :1,password,tls,x509verify=/etc/pki/qemu -monitor stdio
  (qemu) change vnc password
  Password: ********
  (qemu)
  [/quote]

This documented example no longer works because authentication is being
silently reset.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|