[libvirt] LSN-2014-0007: CVE-2014-7823 virDomainGetXMLDesc leaks VNC passwords

Eric Blake eblake at redhat.com
Mon Nov 10 18:52:42 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

        Libvirt Security Notice: LSN-2014-0007
        ======================================

       Summary: virDomainGetXMLDesc leaks VNC passwords
   Reported on: 20141031
  Published on: 20141105
      Fixed on: 20141106
   Reported by: Eric Blake <eblake at redhat.com>
    Patched by: Eric Blake <eblake at redhat.com>
      See also: CVE-2014-7823

Description
- -----------

At the time the VIR_DOMAIN_XML_MIGRATABLE flag was added to the
virDomainGetXMLDesc API, the qemu implementation chose to make the
flag always imply the VIR_DOMAIN_XML_SECURE flag. The secure flag
had been previously deemed unsafe to use from a read-only
connection; however, because the new migratable flag is not
restricted against use by read-only clients, a client can use the
new flag to bypass the restrictions placed on the use of the old
flag.

Impact
- ------

A read-only client can trigger an information leak of data that
should normally require the use of VIR_DOMAIN_XML_SECURE to access.
Fortunately, the only data in this category is the value of an
optional VNC password.

Workaround
- ----------

VNC passwords are notoriously weak (they are capped at an 8 byte
maximum length; the VNC protocol sends them in plaintext over the
network; and FIPS mode execution prohibits the use of a VNC
password), so it is recommended that users not create domains with a
VNC password in the first place. Domains that do not use VNC
passwords do not suffer from information leaks; the use of SPICE
connections is recommended not only because it avoids the leak, but
also because SPICE provides better features than VNC for a guest
graphics device. It is also possible to prevent the leak by denying
access to read-only clients; for builds of libvirt that support
fine-grained ACLs, this course of action requires ensuring that no
user is granted the 'read' ACL privilege without also having the
'read_secure' privilege.

Affected product
- ----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.0.0
   Broken in: v1.0.1
   Broken in: v1.0.2
   Broken in: v1.0.3
   Broken in: v1.0.4
   Broken in: v1.0.5
   Broken in: v1.0.6
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken in: v1.2.2
   Broken in: v1.2.3
   Broken in: v1.2.4
   Broken in: v1.2.5
   Broken in: v1.2.6
   Broken in: v1.2.7
   Broken in: v1.2.8
   Broken in: v1.2.9
   Broken in: v1.2.10
    Fixed in: v1.2.11
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b

      Branch: v1.0.2-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 7b334c1660e926da7c0644c945263ce40a80443f

      Branch: v1.0.3-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 220c6b867ca81f9027a7da54d5bc44b43c742d2a

      Branch: v1.0.4-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 3b7ce055e37e92c34090fcfcc0b6eaa860aa94a9

      Branch: v1.0.5-maint
   Broken in: v1.0.5.1
   Broken in: v1.0.5.2
   Broken in: v1.0.5.3
   Broken in: v1.0.5.4
   Broken in: v1.0.5.5
   Broken in: v1.0.5.6
   Broken in: v1.0.5.7
   Broken in: v1.0.5.8
   Broken in: v1.0.5.9
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 107f1ff20edc805433cade910a00328158b1c231

      Branch: v1.0.6-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 333c95c9f3fb1e3c42b37f79b7f186511e8f8264

      Branch: v1.1.0-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 3d751cdcdbfac95b4a39a7db1b6e12e20838cb65

      Branch: v1.1.1-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: f8c771335998f4d7a91b03c11526d819ee470dfc

      Branch: v1.1.2-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 520ecab4ca09859d4de39cad7ae2e34272e0437e

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
   Broken in: v1.1.3.4
   Broken in: v1.1.3.5
   Broken in: v1.1.3.6
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: bdbcf66ae72f82d45faa889a1208444f83f5756b

      Branch: v1.1.4-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 4e3856c06a3362a17a5aff0b59c4bfffbd97d105

      Branch: v1.2.0-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 757292bfb33b610daff0936d2205a90d5d787a1a

      Branch: v1.2.1-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 3adae530f549448cecfb6212a2e48bf4b04931bd

      Branch: v1.2.2-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: bd78e6f6362d2484b931f112506dfde9d053fcde

      Branch: v1.2.3-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 2a924d876c146913b5309c5919900f29b2850012

      Branch: v1.2.4-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 8c083ff081dfd6b3e6ed2053e98c8bdd780db834

      Branch: v1.2.5-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 2cfd147c49d696a3641145ac8edb9e49a85a515d

      Branch: v1.2.6-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 59fff7ff9866227f4be3224bac581e95f3c53bb1

      Branch: v1.2.7-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 0ea4cd2f4a5b87647a6ebf13038049badd3222c8

      Branch: v1.2.8-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: c7500ce36fc4654c41e92a8194771122110a3e66

      Branch: v1.2.9-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 744ddb15e0feaf2d6603a88dc8ffc3a7eb0a452d

      Branch: v1.2.10-maint
   Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
    Fixed by: 11219f40f3d6132de7cf72287f136bae3747ad53


- -- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg

iQEcBAEBCAAGBQJUYQl6AAoJEKeha0olJ0NqioEH/jsMB2X5/nscAYiLytJ6jrJc
lgpmkuli0elYFlpdcj2aar0WsK2RQv9chuasc5Y4hWDslYhzPGkVBkTHceAbds3l
OAhotaob3NBhFGM9p5xoTCDKWTCGVkiSOOUFTyK5amDpUiA0AkHA7B8y1pA0kAY7
+rmXLUQtDcUCEpi7hZgD/9P3cD9CnVpNCBP6m0vUJoWPmyC+KzgETdfuqlRpmD1h
l0a/fGpaPXZkIaaomyGniimffFyxHZVlHnJHC9BBnVnCtBC/G1n2yUJmqBYTDIPd
C6UKZ78/kkOtRfdjVxGlR8USXEIINW+nvYPjVGcUL+zf0H0FE2wEZ5UGie6pfMs=
=6rpO
-----END PGP SIGNATURE-----

More information about the libvir-list mailing list