From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:35920) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QwD6H-0005zx-Qw for qemu-devel@nongnu.org; Wed, 24 Aug 2011 09:02:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QwD6B-0006ir-UV for qemu-devel@nongnu.org; Wed, 24 Aug 2011 09:02:33 -0400 Received: from mx1.redhat.com ([209.132.183.28]:27484) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QwD6B-0006il-MD for qemu-devel@nongnu.org; Wed, 24 Aug 2011 09:02:27 -0400 Date: Wed, 24 Aug 2011 14:02:25 +0100 From: "Daniel P. Berrange" Message-ID: <20110824130225.GI12120@redhat.com> References: <1314183661-14483-1-git-send-email-berrange@redhat.com> <4E54F252.7020007@codemonkey.ws> <20110824125040.GG12120@redhat.com> <4E54F4CA.1000809@codemonkey.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4E54F4CA.1000809@codemonkey.ws> Subject: Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Anthony Liguori Cc: qemu-devel@nongnu.org On Wed, Aug 24, 2011 at 07:55:38AM -0500, Anthony Liguori wrote: > On 08/24/2011 07:50 AM, Daniel P. Berrange wrote: > >On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote: > >>On 08/24/2011 06:01 AM, Daniel P. Berrange wrote: > >>>From: "Daniel P. Berrange" > >>> > >>>In CVE-2011-0011 it was noted that setting an empty password > >>>would disable all authentication for the VNC password. Commit > >>>1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this > >>>but it just broke it in a different way, because now instead > >>>of blindly disabling all authentication, it blindly resets all > >>>authentication to 'VNC'. > >> > >>But this is *not* a security problem. Login becomes disabled as expected. > > > >It *is* a security problem, because if you do > > > > change vnc password 123 > > change vnc password "" > > change vnc password 456 > > > >you have lost the authentication settings you requested. > > > >With this patch, changing the password to "" *still* disables > >the login, without side effects on the auth scheme. > > Just because it isn't doing what you expect it to do doesn't make it > a security problem. This is the current behavior and you simply > cannot write a management tool without being aware of this behavior > for better or worse. This was *not* the behaviour for many releases. It is a regression against the original behaviour of the change vnc password in QEMU which we had succesfully worked with in libvirt since password+TLS support was written for QEMU. The current behaviour is unusably broken. It cannot be used without creating a security problem, where as the original QEMU behaviour was succesfully usable. Simply saying that we must create a new command, instead of fixing the QEMU regression does nothing to help existing apps which are expecting current QEMU releases to work as previous releases did & as the command is *documented* : http://qemu.weilnetz.de/qemu-doc.html#vnc_005fsec_005fcertificate_005fpw [quote] 3.11.5 With x509 certificates, client verification and passwords Finally, the previous method can be combined with VNC password authentication to provide two layers of authentication for clients. qemu [...OPTIONS...] -vnc :1,password,tls,x509verify=/etc/pki/qemu -monitor stdio (qemu) change vnc password Password: ******** (qemu) [/quote] This documented example no longer works because authentication is being silently reset. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|