[libvirt] LSN-2015-0001: CVE-2015-0236 snapshots and save images leak VNC passwords

Eric Blake eblake at redhat.com
Thu Jan 22 21:23:08 UTC 2015 

        Libvirt Security Notice: LSN-2015-0001
        ======================================

       Summary: snapshots and save images leak VNC passwords
   Reported on: 20150120
  Published on: 20150122
      Fixed on: 20150122
   Reported by: Luyao Huang <lhuang at redhat.com>
    Patched by: Peter Krempa <pkrempa at redhat.com>
      See also: CVE-2015-0236

Description
-----------

The two interfaces virDomainSnapshotGetXMLDesc and
virDomainSaveImageGetXMLDesc would accept the VIR_DOMAIN_XML_SECURE
flag in situations where virDomainGetXMLDesc did not, when
fine-grained access control lists (ACL) are in use. As a result, a
client can use a snapshot or save image to bypass restrictions and
gain access to the secured information.

Impact
------

A client using a read-write connection, and which has the
'domain:read' ACL privilege while lacking 'domain:secure_read', can
trigger an information leak of data by using VIR_DOMAIN_XML_SECURE
with the affected interfaces. Fortunately, the only data in this
category is the value of an optional VNC password.

Workaround
----------

VNC passwords are notoriously weak (they are capped at an 8 byte
maximum length; the VNC protocol sends them in plaintext over the
network; and FIPS mode execution prohibits the use of a VNC
password), so it is recommended that users not create domains with a
VNC password in the first place. Domains that do not use VNC
passwords do not suffer from information leaks; the use of SPICE
connections is recommended not only because it avoids the leak, but
also because SPICE provides better features than VNC for a guest
graphics device. Furthermore, the leak is only possible when
fine-grained ACLs are in use; read-only clients cannot trigger the
issue. Therefore, the problem is avoided if no user is granted the
'read' ACL privilege without also having the 'read_secure'
privilege. Another mitigation is that the information leak can only
occur if a snapshot or save image exists; a user that is denied
'read_secure' is typically also unable to create such an image, so
the leak depends on a more privileged user making use of that
feature.

Affected product
----------------

        Name: libvirt
  Repository: git://libvirt.org/git/libvirt.git
              http://libvirt.org/git/?p=libvirt.git

      Branch: master
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
   Broken in: v1.1.3
   Broken in: v1.1.4
   Broken in: v1.2.0
   Broken in: v1.2.1
   Broken in: v1.2.2
   Broken in: v1.2.3
   Broken in: v1.2.4
   Broken in: v1.2.5
   Broken in: v1.2.6
   Broken in: v1.2.7
   Broken in: v1.2.8
   Broken in: v1.2.9
   Broken in: v1.2.10
   Broken in: v1.2.11
    Fixed in: v1.2.12
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 03c3c0c874c84dfa51ef17556062b095c6e1c0a3
    Fixed by: b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b

      Branch: v1.1.0-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: a976724f9a10730e1339628482a283653efdb72c
    Fixed by: c4c824ec818ce85de049ed5546fa8ce3c8b76e32

      Branch: v1.1.1-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 9a2728e1b28b67a682e55d8dd3c0d79e21f0ad37
    Fixed by: 2c6fc46d987911e310d30621cd6fc195af102fee

      Branch: v1.1.2-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 6eec2b830a752c95fc2d971d3daf7626f9701290
    Fixed by: 947c969fc248c2324e565b5e4f80a3d11733f12b

      Branch: v1.1.3-maint
   Broken in: v1.1.3.1
   Broken in: v1.1.3.2
   Broken in: v1.1.3.3
   Broken in: v1.1.3.4
   Broken in: v1.1.3.5
   Broken in: v1.1.3.6
   Broken in: v1.1.3.7
   Broken in: v1.1.3.8
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: ca840e9c827fefadae2e00875b4a552b990b959f
    Fixed by: 76d6cc3f24ab545694e77e2eafa981d861b965a4

      Branch: v1.1.4-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 43d16684c2018c20db1fba35542eb1d52ecb8d7a
    Fixed by: 17defce9159c5111e7011e575ba72803a9418086

      Branch: v1.2.0-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 9475a25c86f3748e2069af67db69d79864b707b9
    Fixed by: 8abca887b19600b6652654a01a78455afd4d8294

      Branch: v1.2.1-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: f7c70c20530954c2c1a2ce0d192d01a8f71c0093
    Fixed by: 1f348188e0698ef2535c81d5a779189531c5df99

      Branch: v1.2.2-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: e99c25ca63c695a63b4c9b91ee956be4fb660772
    Fixed by: 8107c1e3694ba4685960ec09868076379718f037

      Branch: v1.2.3-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 4edae3cb9600132e875a5b97cf31089a6c8f4cb2
    Fixed by: 94d18e8f6dbe3afdc72b6df13e3eaa8861874a14

      Branch: v1.2.4-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: d406f0858e7e3a6199788d3c64217c69d7702032
    Fixed by: 4700507a484aec43b02724893cbed931e52f86e0

      Branch: v1.2.5-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: b0b5e885f05a80d63e8a457031ea884e867244ad
    Fixed by: 6b78ba5a15fb1077cee88cc30f1e5ba16485cd83

      Branch: v1.2.6-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 9b056d8daf68b6357ca05adbfddb53a85d077a1d
    Fixed by: b87f3f835a5c88625d9514aae9a2ddf30bc64319

      Branch: v1.2.7-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: cc0cc987a53f5e3825c7d972e219e08688d4480b
    Fixed by: aeb505814531d505f4d7718a10a96dd6dea14457

      Branch: v1.2.8-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: c0f3e664a68509a3d842bdc3fd126257da46d0c0
    Fixed by: cef411296b2513ffd80dbf9cab1f54bd0c68fe6a

      Branch: v1.2.9-maint
   Broken in: v1.2.9.1
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 19f8fec02d9b0a8de877d872c5b59597bd878a8d
    Fixed by: 295f3c88ce71b8e83a489cb0d48431e124c12081

      Branch: v1.2.10-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: c379b17e259db4f07843c2a7a883fda1a1bd043f
    Fixed by: d6e10847e0cd2bd7fc1824ad65fe859987715881

      Branch: v1.2.11-maint
   Broken by: e341435e5090677c67a0d3d4ca0393102054841f
    Fixed by: 41358b7e91a20c9a89b03202b8c4139f92dd1953
    Fixed by: 7195a5fa4718d915b28bb6e3380255eb1fbf994a

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150122/0a158e21/attachment-0001.sig>

More information about the libvir-list mailing list