Debian Bug report logs - #611134
CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Date: Tue, 25 Jan 2011 22:25:27 +0100

Package: kvm
Severity: grave
Tags: security

Please see the following entry in the Red Hat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 

The impact is not entirely obvious to me? Do I understand it
correctly that a malicious application accessing a KVM
instance could lock out other apps to this virtual machine?

Do you think this needs to be fixed for Squeeze or in a 
point update?

Cheers,
        Moritz

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #10 received at 611134@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Moritz Muehlenhoff <jmm@debian.org>, 611134@bugs.debian.org

Subject: Re: Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Date: Wed, 26 Jan 2011 08:56:06 +0300

26.01.2011 00:25, Moritz Muehlenhoff wrote:
> Package: kvm
> Severity: grave
> Tags: security
> 
> Please see the following entry in the Red Hat bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 

Yes, I've seen this even before CVE ID were assigned.

> The impact is not entirely obvious to me? Do I understand it
> correctly that a malicious application accessing a KVM
> instance could lock out other apps to this virtual machine?

This is completely wrong understanding.

First of all, only one instance is affected.

Second, this is an intended behavour.  Emty vnc password
meant to be no authentication, not a lockdown.  When you
start it without specifying a password it lets everyone
in.

There was a bug in previous versions of qemu which is now
fixed by the commit mentioned in that RH bugreport.  A bug
which resulted in inability to change vnc to "no auth" mode
at runtime if a password has been specified.

The implication is this: if there was an application that
relied on the wrong behavour, "thinking" that changing VNC
password at runtime to an empty string means a lockdown,
that combination is now broken, since instead of a lockdown
we're getting wide-open access.  But I'm not aware of any
application like that.

> Do you think this needs to be fixed for Squeeze or in a 
> point update?

I think this does not need to be "fixed" at all.  Maybe a
wishlist bug requesting a way to explicitly enable/disable
vnc at runtime, or - provided an application that relies
on the buggy behavour is found - a fix for that application,
but definitely not like RH has put it.  I think.

Thanks!

/mjt

Message #15 received at 611134@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Michael Tokarev <mjt@tls.msk.ru>, 611134@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Date: Wed, 26 Jan 2011 09:25:32 +0100

[Message part 1 (text/plain, inline)]

On Wed, Jan 26, 2011 at 08:56:06 +0300, Michael Tokarev wrote:

> Second, this is an intended behavour.  Emty vnc password
> meant to be no authentication, not a lockdown.  When you
> start it without specifying a password it lets everyone
> in.
> 
Intended by whom?

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 611134@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Julien Cristau <jcristau@debian.org>

Cc: 611134@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Date: Wed, 26 Jan 2011 13:09:40 +0300

On 26.01.2011 11:25, Julien Cristau wrote:
> On Wed, Jan 26, 2011 at 08:56:06 +0300, Michael Tokarev wrote:
> 
>> Second, this is an intended behavour.  Emty vnc password
>> meant to be no authentication, not a lockdown.  When you
>> start it without specifying a password it lets everyone
>> in.
>>
> Intended by whom?

Well, that's a good question.  From how qemu works that's
quite logical thing to expect, to me anyway.  Empty password
means empty password, ie, wide access instead of no access.
IMHO anyway.

/mjt

Message #25 received at 611134@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Michael Tokarev <mjt@tls.msk.ru>

Cc: 611134@bugs.debian.org

Subject: Re: Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Date: Thu, 27 Jan 2011 22:59:06 +0100

On Wed, Jan 26, 2011 at 08:56:06AM +0300, Michael Tokarev wrote:
> 26.01.2011 00:25, Moritz Muehlenhoff wrote:
> > Package: kvm
> > Severity: grave
> > Tags: security
> > 
> > Please see the following entry in the Red Hat bugzilla:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 
> 
> Yes, I've seen this even before CVE ID were assigned.
> 
> > The impact is not entirely obvious to me? Do I understand it
> > correctly that a malicious application accessing a KVM
> > instance could lock out other apps to this virtual machine?
> 
> This is completely wrong understanding.
> 
> First of all, only one instance is affected.
> 
> Second, this is an intended behavour.  Emty vnc password
> meant to be no authentication, not a lockdown.  When you
> start it without specifying a password it lets everyone
> in.
> 
> There was a bug in previous versions of qemu which is now
> fixed by the commit mentioned in that RH bugreport.  A bug
> which resulted in inability to change vnc to "no auth" mode
> at runtime if a password has been specified.
> 
> The implication is this: if there was an application that
> relied on the wrong behavour, "thinking" that changing VNC
> password at runtime to an empty string means a lockdown,
> that combination is now broken, since instead of a lockdown
> we're getting wide-open access.  But I'm not aware of any
> application like that.

Thanks for the verbose explanation. I've updated the Debian 
Security Tracker.

While we're at it; could you please also look into 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0435 ?

Is this something that still needs to be fixed for Squeeze?

Cheers,
        Moritz

Message #30 received at 611134@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 611134@bugs.debian.org

Subject: Re: Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Date: Sat, 29 Jan 2011 16:58:51 +0100

[Message part 1 (text/plain, inline)]

user release.debian.org@packages.debian.org
usertag 611134 squeeze-can-defer
tag 611134 squeeze-ignore
kthxbye

On Tue, Jan 25, 2011 at 22:25:27 +0100, Moritz Muehlenhoff wrote:

> Package: kvm
> Severity: grave
> Tags: security
> 
> Please see the following entry in the Red Hat bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0011 
> 
Tagging as not a blocker for squeeze.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 611134@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 611134@bugs.debian.org

Subject: Re: Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Date: Fri, 04 Feb 2011 13:35:11 +0300

Please excuse me for late reply - I missed your email initially somehow.

28.01.2011 00:59, Moritz Mühlenhoff wrote:
[]
> Thanks for the verbose explanation. I've updated the Debian 
> Security Tracker.
> 
> While we're at it; could you please also look into 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0435 ?

That's a problem in the (host) kernel.

> Is this something that still needs to be fixed for Squeeze?

It is fixed in 2.6.32.27, by the following patch:

------------------
From 85dedd445698c5bbd096289cfcc6034f74941815 Mon Sep 17 00:00:00 2001
From: Gleb Natapov <gleb@redhat.com>
Date: Wed, 10 Nov 2010 12:08:12 +0200
Subject: KVM: VMX: fix vmx null pointer dereference on debug register access

There is a bug in KVM that can be used to crash a host on Intel
machines. If emulator is tricked into emulating mov to/from DR instruction
it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
are not initialized. Recently this is not exploitable from guest
userspace, but malicious guest kernel can trigger it easily.

CVE-2010-0435

On upstream bug was fixed differently around 2.6.34.
------------------

As far as I can see, 2.6.32.27 patch is included in current debian
kernels.  So no action appears to be necessary.

Thanks!

/mjt

Message #42 received at 611134@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Michael Tokarev <mjt@tls.msk.ru>

Cc: 611134@bugs.debian.org

Subject: Re: Bug#611134: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication

Date: Fri, 4 Feb 2011 11:37:03 +0100

On Fri, Feb 04, 2011 at 01:35:11PM +0300, Michael Tokarev wrote:
> Please excuse me for late reply - I missed your email initially somehow.
> 
> 28.01.2011 00:59, Moritz Mühlenhoff wrote:
> []
> > Thanks for the verbose explanation. I've updated the Debian 
> > Security Tracker.
> > 
> > While we're at it; could you please also look into 
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0435 ?
> 
> That's a problem in the (host) kernel.
> 
> > Is this something that still needs to be fixed for Squeeze?
> 
> It is fixed in 2.6.32.27, by the following patch:
> 
> ------------------
> From 85dedd445698c5bbd096289cfcc6034f74941815 Mon Sep 17 00:00:00 2001
> From: Gleb Natapov <gleb@redhat.com>
> Date: Wed, 10 Nov 2010 12:08:12 +0200
> Subject: KVM: VMX: fix vmx null pointer dereference on debug register access
> 
> There is a bug in KVM that can be used to crash a host on Intel
> machines. If emulator is tricked into emulating mov to/from DR instruction
> it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
> are not initialized. Recently this is not exploitable from guest
> userspace, but malicious guest kernel can trigger it easily.
> 
> CVE-2010-0435
> 
> On upstream bug was fixed differently around 2.6.34.
> ------------------
> 
> As far as I can see, 2.6.32.27 patch is included in current debian
> kernels.  So no action appears to be necessary.

Thanks for the feedback, I've updated the Security Tracker.

Cheers,
        Moritz

Message #49 received at 611134-close@bugs.debian.org (full text, mbox, reply):

From: Michael Tokarev <mjt@tls.msk.ru>

To: 611134-close@bugs.debian.org

Subject: Bug#611134: fixed in qemu-kvm 0.12.5+dfsg-5+squeeze1

Date: Mon, 02 May 2011 20:09:16 +0000

Source: qemu-kvm
Source-Version: 0.12.5+dfsg-5+squeeze1

We believe that the bug you reported is fixed in the latest version of
qemu-kvm, which is due to be installed in the Debian FTP archive:

kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
  to main/q/qemu-kvm/kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
  to main/q/qemu-kvm/qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
  to main/q/qemu-kvm/qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 611134@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated qemu-kvm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 26 Apr 2011 12:04:36 +0400
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source amd64
Version: 0.12.5+dfsg-5+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Jan Lübbe <jluebbe@debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Description: 
 kvm        - dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 611134 624177
Changes: 
 qemu-kvm (0.12.5+dfsg-5+squeeze1) stable-security; urgency=high
 .
   * fix CVE-2011-0011: Setting VNC password to empty string
     silently disables all authentication (Closes: #611134)
   * fix CVE-2011-1750: virtio-blk: heap buffer overflow caused
      by unaligned requests (Closes: #624177)
   * urgency is high due to #624177
Checksums-Sha1: 
 60e865cf028cd22db33017d65e2e446b0dc97392 1696 qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
 565ee0ce6995798b577d23746b1fc4fdbc9e8458 3801867 qemu-kvm_0.12.5+dfsg.orig.tar.gz
 67626e00fd3081b6df80fa2d4a8fcdeb42ef52ab 299331 qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
 cabca783e1223e1f132354fc7a299004b391ae01 1612670 qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
 1cefb37d4d28ff9d513f0f85df0ac5fa2780b1b9 2817690 qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
 5d0f41e0ac73db5676c3f153b72c4fcc49bcb3b1 12522 kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
Checksums-Sha256: 
 b0484bac40d294a099dd1016b436fcabb2689cbdd73b2da688eccef9c1983003 1696 qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
 2f4ff1b7fd30318a19636ed4266a13184c1729b428097763a84ee5b5bf466856 3801867 qemu-kvm_0.12.5+dfsg.orig.tar.gz
 203d5a8b34b3f65050053b3915c7ce5f1474383277b440cb81feafaa1ba1da72 299331 qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
 f62cb9689d904c3a843794cc1fe8c21947349f7f00fbdc8c6affc910ab190da2 1612670 qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
 fdbe3bab6c18879971915c4dfb2fab5f59a8a2218a64ec25090daf8825349b1b 2817690 qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
 595a0a3d402cb35195584fa313aa47bb25376760c92c0517703ed6d268b231f1 12522 kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
Files: 
 85bd61fb21930e014f0790bf51c16862 1696 misc optional qemu-kvm_0.12.5+dfsg-5+squeeze1.dsc
 a28c3bf70d0bb298153764e74d1551f0 3801867 misc optional qemu-kvm_0.12.5+dfsg.orig.tar.gz
 4aff91f02a90bb3d0a78a0a98d7fe4c6 299331 misc optional qemu-kvm_0.12.5+dfsg-5+squeeze1.diff.gz
 ef790ddd5f249fa3818919f1dc661bdb 1612670 misc optional qemu-kvm_0.12.5+dfsg-5+squeeze1_amd64.deb
 047e07f2d32a0b108d83f7b494b3d316 2817690 debug extra qemu-kvm-dbg_0.12.5+dfsg-5+squeeze1_amd64.deb
 66cf4a055e8bf56b9166270d2390f4c2 12522 oldlibs extra kvm_0.12.5+dfsg-5+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk24eRwACgkQXm3vHE4uylr44QCg53EQEUH/VC5F72DzT0NqcL3e
i+MAoKO/7LfNDlqcFh3c1e8Q7WCpxkx0
=08XY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.