Libvirt Security Notice: LSN-2014-0007 ====================================== Summary: virDomainGetXMLDesc leaks VNC passwords Reported on: 20141031 Published on: 20141105 Fixed on: 20141106 Reported by: Eric Blake Patched by: Eric Blake See also: CVE-2014-7823 Description ----------- At the time the VIR_DOMAIN_XML_MIGRATABLE flag was added to the virDomainGetXMLDesc API, the qemu implementation chose to make the flag always imply the VIR_DOMAIN_XML_SECURE flag. The secure flag had been previously deemed unsafe to use from a read-only connection; however, because the new migratable flag is not restricted against use by read-only clients, a client can use the new flag to bypass the restrictions placed on the use of the old flag. Impact ------ A read-only client can trigger an information leak of data that should normally require the use of VIR_DOMAIN_XML_SECURE to access. Fortunately, the only data in this category is the value of an optional VNC password. Workaround ---------- VNC passwords are notoriously weak (they are capped at an 8 byte maximum length; the VNC protocol sends them in plaintext over the network; and FIPS mode execution prohibits the use of a VNC password), so it is recommended that users not create domains with a VNC password in the first place. Domains that do not use VNC passwords do not suffer from information leaks; the use of SPICE connections is recommended not only because it avoids the leak, but also because SPICE provides better features than VNC for a guest graphics device. It is also possible to prevent the leak by denying access to read-only clients; for builds of libvirt that support fine-grained ACLs, this course of action requires ensuring that no user is granted the 'read' ACL privilege without also having the 'read_secure' privilege. Affected product ---------------- Name: libvirt Repository: https://gitlab.com/libvirt/libvirt Branch: master Broken in: v1.0.0 Broken in: v1.0.1 Broken in: v1.0.2 Broken in: v1.0.3 Broken in: v1.0.4 Broken in: v1.0.5 Broken in: v1.0.6 Broken in: v1.1.0 Broken in: v1.1.1 Broken in: v1.1.2 Broken in: v1.1.3 Broken in: v1.1.4 Broken in: v1.2.0 Broken in: v1.2.1 Broken in: v1.2.2 Broken in: v1.2.3 Broken in: v1.2.4 Broken in: v1.2.5 Broken in: v1.2.6 Broken in: v1.2.7 Broken in: v1.2.8 Broken in: v1.2.9 Broken in: v1.2.10 Fixed in: v1.2.11 Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b Branch: v1.0.0-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Branch: v1.0.1-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Branch: v1.0.2-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 7b334c1660e926da7c0644c945263ce40a80443f Branch: v1.0.3-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 220c6b867ca81f9027a7da54d5bc44b43c742d2a Branch: v1.0.4-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 3b7ce055e37e92c34090fcfcc0b6eaa860aa94a9 Branch: v1.0.5-maint Broken in: v1.0.5.1 Broken in: v1.0.5.2 Broken in: v1.0.5.3 Broken in: v1.0.5.4 Broken in: v1.0.5.5 Broken in: v1.0.5.6 Broken in: v1.0.5.7 Broken in: v1.0.5.8 Broken in: v1.0.5.9 Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 107f1ff20edc805433cade910a00328158b1c231 Branch: v1.0.6-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 333c95c9f3fb1e3c42b37f79b7f186511e8f8264 Branch: v1.1.0-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 3d751cdcdbfac95b4a39a7db1b6e12e20838cb65 Branch: v1.1.1-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: f8c771335998f4d7a91b03c11526d819ee470dfc Branch: v1.1.2-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 520ecab4ca09859d4de39cad7ae2e34272e0437e Branch: v1.1.3-maint Broken in: v1.1.3.1 Broken in: v1.1.3.2 Broken in: v1.1.3.3 Broken in: v1.1.3.4 Broken in: v1.1.3.5 Broken in: v1.1.3.6 Fixed in: v1.1.3.7 Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: bdbcf66ae72f82d45faa889a1208444f83f5756b Branch: v1.1.4-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 4e3856c06a3362a17a5aff0b59c4bfffbd97d105 Branch: v1.2.0-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 757292bfb33b610daff0936d2205a90d5d787a1a Branch: v1.2.1-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 3adae530f549448cecfb6212a2e48bf4b04931bd Branch: v1.2.2-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: bd78e6f6362d2484b931f112506dfde9d053fcde Branch: v1.2.3-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 2a924d876c146913b5309c5919900f29b2850012 Branch: v1.2.4-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 8c083ff081dfd6b3e6ed2053e98c8bdd780db834 Branch: v1.2.5-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 2cfd147c49d696a3641145ac8edb9e49a85a515d Branch: v1.2.6-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 59fff7ff9866227f4be3224bac581e95f3c53bb1 Branch: v1.2.7-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 0ea4cd2f4a5b87647a6ebf13038049badd3222c8 Branch: v1.2.8-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: c7500ce36fc4654c41e92a8194771122110a3e66 Branch: v1.2.9-maint Fixed in: v1.2.9.1 Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 744ddb15e0feaf2d6603a88dc8ffc3a7eb0a452d Branch: v1.2.10-maint Broken by: 28f8dfdcccd4c0f69063ef741545b37d8a7f7935 Fixed by: 11219f40f3d6132de7cf72287f136bae3747ad53