Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
Please excuse me for late reply - I missed your email initially somehow. 28.01.2011 00:59, Moritz Mühlenhoff wrote: [] Thanks for the verbose explanation. I've updated the Debian Security Tracker. While we're at it; could you please also look into http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0435 ? That's a problem in the (host) kernel. Is this something that still needs to be fixed for Squeeze? It is fixed in 2.6.32.27, by the following patch: -- From 85dedd445698c5bbd096289cfcc6034f74941815 Mon Sep 17 00:00:00 2001 From: Gleb Natapov g...@redhat.com Date: Wed, 10 Nov 2010 12:08:12 +0200 Subject: KVM: VMX: fix vmx null pointer dereference on debug register access There is a bug in KVM that can be used to crash a host on Intel machines. If emulator is tricked into emulating mov to/from DR instruction it causes NULL pointer dereference on VMX since kvm_x86_ops-(set|get)_dr are not initialized. Recently this is not exploitable from guest userspace, but malicious guest kernel can trigger it easily. CVE-2010-0435 On upstream bug was fixed differently around 2.6.34. -- As far as I can see, 2.6.32.27 patch is included in current debian kernels. So no action appears to be necessary. Thanks! /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
On Fri, Feb 04, 2011 at 01:35:11PM +0300, Michael Tokarev wrote: Please excuse me for late reply - I missed your email initially somehow. 28.01.2011 00:59, Moritz Mühlenhoff wrote: [] Thanks for the verbose explanation. I've updated the Debian Security Tracker. While we're at it; could you please also look into http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0435 ? That's a problem in the (host) kernel. Is this something that still needs to be fixed for Squeeze? It is fixed in 2.6.32.27, by the following patch: -- From 85dedd445698c5bbd096289cfcc6034f74941815 Mon Sep 17 00:00:00 2001 From: Gleb Natapov g...@redhat.com Date: Wed, 10 Nov 2010 12:08:12 +0200 Subject: KVM: VMX: fix vmx null pointer dereference on debug register access There is a bug in KVM that can be used to crash a host on Intel machines. If emulator is tricked into emulating mov to/from DR instruction it causes NULL pointer dereference on VMX since kvm_x86_ops-(set|get)_dr are not initialized. Recently this is not exploitable from guest userspace, but malicious guest kernel can trigger it easily. CVE-2010-0435 On upstream bug was fixed differently around 2.6.34. -- As far as I can see, 2.6.32.27 patch is included in current debian kernels. So no action appears to be necessary. Thanks for the feedback, I've updated the Security Tracker. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
user release.debian@packages.debian.org usertag 611134 squeeze-can-defer tag 611134 squeeze-ignore kthxbye On Tue, Jan 25, 2011 at 22:25:27 +0100, Moritz Muehlenhoff wrote: Package: kvm Severity: grave Tags: security Please see the following entry in the Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 Tagging as not a blocker for squeeze. Cheers, Julien signature.asc Description: Digital signature
Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
On Wed, Jan 26, 2011 at 08:56:06AM +0300, Michael Tokarev wrote: 26.01.2011 00:25, Moritz Muehlenhoff wrote: Package: kvm Severity: grave Tags: security Please see the following entry in the Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 Yes, I've seen this even before CVE ID were assigned. The impact is not entirely obvious to me? Do I understand it correctly that a malicious application accessing a KVM instance could lock out other apps to this virtual machine? This is completely wrong understanding. First of all, only one instance is affected. Second, this is an intended behavour. Emty vnc password meant to be no authentication, not a lockdown. When you start it without specifying a password it lets everyone in. There was a bug in previous versions of qemu which is now fixed by the commit mentioned in that RH bugreport. A bug which resulted in inability to change vnc to no auth mode at runtime if a password has been specified. The implication is this: if there was an application that relied on the wrong behavour, thinking that changing VNC password at runtime to an empty string means a lockdown, that combination is now broken, since instead of a lockdown we're getting wide-open access. But I'm not aware of any application like that. Thanks for the verbose explanation. I've updated the Debian Security Tracker. While we're at it; could you please also look into http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0435 ? Is this something that still needs to be fixed for Squeeze? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
On Wed, Jan 26, 2011 at 08:56:06 +0300, Michael Tokarev wrote: Second, this is an intended behavour. Emty vnc password meant to be no authentication, not a lockdown. When you start it without specifying a password it lets everyone in. Intended by whom? Cheers, Julien signature.asc Description: Digital signature
Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
On 26.01.2011 11:25, Julien Cristau wrote: On Wed, Jan 26, 2011 at 08:56:06 +0300, Michael Tokarev wrote: Second, this is an intended behavour. Emty vnc password meant to be no authentication, not a lockdown. When you start it without specifying a password it lets everyone in. Intended by whom? Well, that's a good question. From how qemu works that's quite logical thing to expect, to me anyway. Empty password means empty password, ie, wide access instead of no access. IMHO anyway. /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
Package: kvm Severity: grave Tags: security Please see the following entry in the Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 The impact is not entirely obvious to me? Do I understand it correctly that a malicious application accessing a KVM instance could lock out other apps to this virtual machine? Do you think this needs to be fixed for Squeeze or in a point update? Cheers, Moritz -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
26.01.2011 00:25, Moritz Muehlenhoff wrote: Package: kvm Severity: grave Tags: security Please see the following entry in the Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 Yes, I've seen this even before CVE ID were assigned. The impact is not entirely obvious to me? Do I understand it correctly that a malicious application accessing a KVM instance could lock out other apps to this virtual machine? This is completely wrong understanding. First of all, only one instance is affected. Second, this is an intended behavour. Emty vnc password meant to be no authentication, not a lockdown. When you start it without specifying a password it lets everyone in. There was a bug in previous versions of qemu which is now fixed by the commit mentioned in that RH bugreport. A bug which resulted in inability to change vnc to no auth mode at runtime if a password has been specified. The implication is this: if there was an application that relied on the wrong behavour, thinking that changing VNC password at runtime to an empty string means a lockdown, that combination is now broken, since instead of a lockdown we're getting wide-open access. But I'm not aware of any application like that. Do you think this needs to be fixed for Squeeze or in a point update? I think this does not need to be fixed at all. Maybe a wishlist bug requesting a way to explicitly enable/disable vnc at runtime, or - provided an application that relies on the buggy behavour is found - a fix for that application, but definitely not like RH has put it. I think. Thanks! /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
