Libvirt Security Notice: LSN-2014-0007

virDomainGetXMLDesc leaks VNC passwords

Lifecycle

Reported on: 20141031
Published on: 20141105
Fixed on: 20141106

Credits

Reported by: Eric Blake
Patched by: Eric Blake

See also

Description

At the time the VIR_DOMAIN_XML_MIGRATABLE flag was added to the virDomainGetXMLDesc API, the qemu implementation chose to make the flag always imply the VIR_DOMAIN_XML_SECURE flag. The secure flag had been previously deemed unsafe to use from a read-only connection; however, because the new migratable flag is not restricted against use by read-only clients, a client can use the new flag to bypass the restrictions placed on the use of the old flag.

Impact

A read-only client can trigger an information leak of data that should normally require the use of VIR_DOMAIN_XML_SECURE to access. Fortunately, the only data in this category is the value of an optional VNC password.

Workaround

VNC passwords are notoriously weak (they are capped at an 8 byte maximum length; the VNC protocol sends them in plaintext over the network; and FIPS mode execution prohibits the use of a VNC password), so it is recommended that users not create domains with a VNC password in the first place. Domains that do not use VNC passwords do not suffer from information leaks; the use of SPICE connections is recommended not only because it avoids the leak, but also because SPICE provides better features than VNC for a guest graphics device. It is also possible to prevent the leak by denying access to read-only clients; for builds of libvirt that support fine-grained ACLs, this course of action requires ensuring that no user is granted the 'read' ACL privilege without also having the 'read_secure' privilege.

Affected product: libvirt

Branch master
Broken in: v1.0.0
Broken in: v1.0.1
Broken in: v1.0.2
Broken in: v1.0.3
Broken in: v1.0.4
Broken in: v1.0.5
Broken in: v1.0.6
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Fixed in: v1.2.11
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b
Branch v1.0.2-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 7b334c1660e926da7c0644c945263ce40a80443f
Branch v1.0.3-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 220c6b867ca81f9027a7da54d5bc44b43c742d2a
Branch v1.0.4-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 3b7ce055e37e92c34090fcfcc0b6eaa860aa94a9
Branch v1.0.5-maint
Broken in: v1.0.5.1
Broken in: v1.0.5.2
Broken in: v1.0.5.3
Broken in: v1.0.5.4
Broken in: v1.0.5.5
Broken in: v1.0.5.6
Broken in: v1.0.5.7
Broken in: v1.0.5.8
Broken in: v1.0.5.9
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 107f1ff20edc805433cade910a00328158b1c231
Branch v1.0.6-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 333c95c9f3fb1e3c42b37f79b7f186511e8f8264
Branch v1.1.0-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 3d751cdcdbfac95b4a39a7db1b6e12e20838cb65
Branch v1.1.1-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: f8c771335998f4d7a91b03c11526d819ee470dfc
Branch v1.1.2-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 520ecab4ca09859d4de39cad7ae2e34272e0437e
Branch v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Fixed in: v1.1.3.7
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: bdbcf66ae72f82d45faa889a1208444f83f5756b
Branch v1.1.4-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 4e3856c06a3362a17a5aff0b59c4bfffbd97d105
Branch v1.2.0-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 757292bfb33b610daff0936d2205a90d5d787a1a
Branch v1.2.1-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 3adae530f549448cecfb6212a2e48bf4b04931bd
Branch v1.2.2-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: bd78e6f6362d2484b931f112506dfde9d053fcde
Branch v1.2.3-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 2a924d876c146913b5309c5919900f29b2850012
Branch v1.2.4-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 8c083ff081dfd6b3e6ed2053e98c8bdd780db834
Branch v1.2.5-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 2cfd147c49d696a3641145ac8edb9e49a85a515d
Branch v1.2.6-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 59fff7ff9866227f4be3224bac581e95f3c53bb1
Branch v1.2.7-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 0ea4cd2f4a5b87647a6ebf13038049badd3222c8
Branch v1.2.8-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: c7500ce36fc4654c41e92a8194771122110a3e66
Branch v1.2.9-maint
Fixed in: v1.2.9.1
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 744ddb15e0feaf2d6603a88dc8ffc3a7eb0a452d
Branch v1.2.10-maint
Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935
Fixed by: 11219f40f3d6132de7cf72287f136bae3747ad53

Alternative formats: [xml] [text]