Libvirt Security Notice: LSN-2017-0002
TLS certificate verification disabled for clients
Lifecycle
| Reported on: |
20171005 |
| Published on: |
20171016 |
| Fixed on: |
20171016 |
Credits
See also
Description
The default_tls_x509_verify (and related) parameters in qemu.conf
control whether the TLS servers in QEMU request & verify certificates
from clients. This works as a simple access control system for QEMU
servers by requiring the CA to issue certs to permitted clients.
This use of client certificates is disabled by default, since it
requires extra work to issue client certificates.
Unfortunately the libvirt code was using these configuration parameters
when setting up both TLS clients and servers in QEMU. The result was that
TLS clients for character devices and disk devices had verification turned
off, meaning they would ignore any errors while validating the server
certificate.
Impact
A MITM attacker can attack any client connection made by QEMU's
character devices and disk devices which have TLS enabled. The attacker can
send an arbitrary certificate back to the client QEMU and it will ignore all
errors that result during validation.
Workaround
Enable the 'default_tls_x509_verify' parameter in qemu.conf
restart libvirtd. This will trigger libvirt to turn on certificate verification
in QEMU clients. Unfortunately this will also turn on use of client
certificates in QEMU servers.
Affected product: libvirt
Alternative formats:
[xml] [text]