Libvirt Security Notice: LSN-2015-0001

snapshots and save images leak VNC passwords

Lifecycle

Reported on: 20150120
Published on: 20150122
Fixed on: 20150122

Credits

Reported by: Luyao Huang
Patched by: Peter Krempa

See also

Description

The two interfaces virDomainSnapshotGetXMLDesc and virDomainSaveImageGetXMLDesc would accept the VIR_DOMAIN_XML_SECURE flag in situations where virDomainGetXMLDesc did not, when fine-grained access control lists (ACL) are in use. As a result, a client can use a snapshot or save image to bypass restrictions and gain access to the secured information.

Impact

A client using a read-write connection, and which has the 'domain:read' ACL privilege while lacking 'domain:secure_read', can trigger an information leak of data by using VIR_DOMAIN_XML_SECURE with the affected interfaces. Fortunately, the only data in this category is the value of an optional VNC password.

Workaround

VNC passwords are notoriously weak (they are capped at an 8 byte maximum length; the VNC protocol sends them in plaintext over the network; and FIPS mode execution prohibits the use of a VNC password), so it is recommended that users not create domains with a VNC password in the first place. Domains that do not use VNC passwords do not suffer from information leaks; the use of SPICE connections is recommended not only because it avoids the leak, but also because SPICE provides better features than VNC for a guest graphics device. Furthermore, the leak is only possible when fine-grained ACLs are in use; read-only clients cannot trigger the issue. Therefore, the problem is avoided if no user is granted the 'read' ACL privilege without also having the 'read_secure' privilege. Another mitigation is that the information leak can only occur if a snapshot or save image exists; a user that is denied 'read_secure' is typically also unable to create such an image, so the leak depends on a more privileged user making use of that feature.

Affected product: libvirt

Branch master
Broken in: v1.1.0
Broken in: v1.1.1
Broken in: v1.1.2
Broken in: v1.1.3
Broken in: v1.1.4
Broken in: v1.2.0
Broken in: v1.2.1
Broken in: v1.2.2
Broken in: v1.2.3
Broken in: v1.2.4
Broken in: v1.2.5
Broken in: v1.2.6
Broken in: v1.2.7
Broken in: v1.2.8
Broken in: v1.2.9
Broken in: v1.2.10
Broken in: v1.2.11
Fixed in: v1.2.12
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 03c3c0c874c84dfa51ef17556062b095c6e1c0a3
Fixed by: b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b
Branch v1.1.0-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: a976724f9a10730e1339628482a283653efdb72c
Fixed by: c4c824ec818ce85de049ed5546fa8ce3c8b76e32
Branch v1.1.1-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 9a2728e1b28b67a682e55d8dd3c0d79e21f0ad37
Fixed by: 2c6fc46d987911e310d30621cd6fc195af102fee
Branch v1.1.2-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 6eec2b830a752c95fc2d971d3daf7626f9701290
Fixed by: 947c969fc248c2324e565b5e4f80a3d11733f12b
Branch v1.1.3-maint
Broken in: v1.1.3.1
Broken in: v1.1.3.2
Broken in: v1.1.3.3
Broken in: v1.1.3.4
Broken in: v1.1.3.5
Broken in: v1.1.3.6
Broken in: v1.1.3.7
Broken in: v1.1.3.8
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: ca840e9c827fefadae2e00875b4a552b990b959f
Fixed by: 76d6cc3f24ab545694e77e2eafa981d861b965a4
Branch v1.1.4-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 43d16684c2018c20db1fba35542eb1d52ecb8d7a
Fixed by: 17defce9159c5111e7011e575ba72803a9418086
Branch v1.2.0-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 9475a25c86f3748e2069af67db69d79864b707b9
Fixed by: 8abca887b19600b6652654a01a78455afd4d8294
Branch v1.2.1-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: f7c70c20530954c2c1a2ce0d192d01a8f71c0093
Fixed by: 1f348188e0698ef2535c81d5a779189531c5df99
Branch v1.2.2-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: e99c25ca63c695a63b4c9b91ee956be4fb660772
Fixed by: 8107c1e3694ba4685960ec09868076379718f037
Branch v1.2.3-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 4edae3cb9600132e875a5b97cf31089a6c8f4cb2
Fixed by: 94d18e8f6dbe3afdc72b6df13e3eaa8861874a14
Branch v1.2.4-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: d406f0858e7e3a6199788d3c64217c69d7702032
Fixed by: 4700507a484aec43b02724893cbed931e52f86e0
Branch v1.2.5-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: b0b5e885f05a80d63e8a457031ea884e867244ad
Fixed by: 6b78ba5a15fb1077cee88cc30f1e5ba16485cd83
Branch v1.2.6-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 9b056d8daf68b6357ca05adbfddb53a85d077a1d
Fixed by: b87f3f835a5c88625d9514aae9a2ddf30bc64319
Branch v1.2.7-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: cc0cc987a53f5e3825c7d972e219e08688d4480b
Fixed by: aeb505814531d505f4d7718a10a96dd6dea14457
Branch v1.2.8-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: c0f3e664a68509a3d842bdc3fd126257da46d0c0
Fixed by: cef411296b2513ffd80dbf9cab1f54bd0c68fe6a
Branch v1.2.9-maint
Broken in: v1.2.9.1
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 19f8fec02d9b0a8de877d872c5b59597bd878a8d
Fixed by: 295f3c88ce71b8e83a489cb0d48431e124c12081
Branch v1.2.10-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: c379b17e259db4f07843c2a7a883fda1a1bd043f
Fixed by: d6e10847e0cd2bd7fc1824ad65fe859987715881
Branch v1.2.11-maint
Broken by: e341435e5090677c67a0d3d4ca0393102054841f
Fixed by: 41358b7e91a20c9a89b03202b8c4139f92dd1953
Fixed by: 7195a5fa4718d915b28bb6e3380255eb1fbf994a

Alternative formats: [xml] [text]