From: Anthony Liguori <anthony@codemonkey.ws>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings
Date: Wed, 24 Aug 2011 07:55:38 -0500 [thread overview]
Message-ID: <4E54F4CA.1000809@codemonkey.ws> (raw)
In-Reply-To: <20110824125040.GG12120@redhat.com>
On 08/24/2011 07:50 AM, Daniel P. Berrange wrote:
> On Wed, Aug 24, 2011 at 07:45:06AM -0500, Anthony Liguori wrote:
>> On 08/24/2011 06:01 AM, Daniel P. Berrange wrote:
>>> From: "Daniel P. Berrange"<berrange@redhat.com>
>>>
>>> In CVE-2011-0011 it was noted that setting an empty password
>>> would disable all authentication for the VNC password. Commit
>>> 1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b attempted to fix this
>>> but it just broke it in a different way, because now instead
>>> of blindly disabling all authentication, it blindly resets all
>>> authentication to 'VNC'.
>>
>> But this is *not* a security problem. Login becomes disabled as expected.
>
> It *is* a security problem, because if you do
>
> change vnc password 123
> change vnc password ""
> change vnc password 456
>
> you have lost the authentication settings you requested.
>
> With this patch, changing the password to "" *still* disables
> the login, without side effects on the auth scheme.
Just because it isn't doing what you expect it to do doesn't make it a
security problem. This is the current behavior and you simply cannot
write a management tool without being aware of this behavior for better
or worse.
The password change interface should not be overloaded to deal disable
login. There should be a higher level QMP command to do this.
>
>> We should really not overload the semantics of the change command
>> like this and instead introduce a new QMP operation to disable
>> login.
>
> This change I mention below is the one that overloaded the semantics
> by making a password change, also change the auth scheme, breaking
> the original behaviour. If we want apps to be able to change the
> auth scheme that needs a separate monitor command.
>
> The current behaviour is not usable and introduces a security problem
> by changing auth scheme without being asked to.
I'll buy an argument about usability but not about security. We need a
higher level command to disable login and a higher level command to set
the vnc password. This interface should be considered deprecated.
Regards,
Anthony Liguori
> Daniel
next prev parent reply other threads:[~2011-08-24 12:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-24 11:01 [Qemu-devel] [PATCH STABLE-0.14/0.15/master] CVE-2011-0011: fix VNC password change to not touch authentication settings Daniel P. Berrange
2011-08-24 12:45 ` Anthony Liguori
2011-08-24 12:50 ` Daniel P. Berrange
2011-08-24 12:55 ` Anthony Liguori [this message]
2011-08-24 13:02 ` Daniel P. Berrange
2011-08-24 14:52 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E54F4CA.1000809@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).