Debian Bug report logs - #909389
virt-inst --location security concern

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon Josefsson <simon@josefsson.org>

To: submit@bugs.debian.org

Subject: virt-inst --location security concern

Date: Sat, 22 Sep 2018 22:51:36 +0200

[Message part 1 (text/plain, inline)]

Package: virtinst
Version: 1:1.4.0-5

I rediscovered a problem I found a couple of years ago, and thought I'd
report it properly this time.

The problem is that "virt-install --location" does not verify
checksums/signatures of what is downloaded, and is thus vulnerable to a
network attack where someone replaces the kernel/initrd with a version
that is malicious.  As far as I know, there is no way to tell virt-
install what checksums to expect.

See earlier discussion here: https://www.redhat.com/archives/virt-tools
-list/2015-April/msg00214.html

Quoting the manpage which gives http-URLs to use:

       --location OPTIONS
...
           Debian
               http://ftp.us.debian.org/debian/dists/stable/main/instal
ler-amd64/

           Ubuntu
               http://us.archive.ubuntu.com/ubuntu/dists/wily/main/inst
aller-amd64/

A workaround is to replace the recommended http URLs with https URLs. 
I checked that CA verification of the domain name works.  This gives
some protection, but far from a GnuPG-based verification that would be
ideal.

Run this command to see what is happening:

virt-install --name foo --memory 500 --disk none --location http://deb.
debian.org/debian/dists/stable/main/installer-amd64/ --noautoconsole --
debug

/Simon

[signature.asc (application/pgp-signature, inline)]

Message #14 received at 909389@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: Simon Josefsson <simon@josefsson.org>, 909389@bugs.debian.org

Subject: Re: Bug#909389: virt-inst --location security concern

Date: Mon, 30 Nov 2020 09:19:36 +0100

[Message part 1 (text/plain, inline)]

Hi,

In data sabato 22 settembre 2018 22:51:36 CET, hai scritto:
> Package: virtinst
> Version: 1:1.4.0-5
> 
> I rediscovered a problem I found a couple of years ago, and thought I'd
> report it properly this time.
> 
> The problem is that "virt-install --location" does not verify
> checksums/signatures of what is downloaded, and is thus vulnerable to a
> network attack where someone replaces the kernel/initrd with a version
> that is malicious.  As far as I know, there is no way to tell virt-
> install what checksums to expect.
> 
> See earlier discussion here: https://www.redhat.com/archives/virt-tools
> -list/2015-April/msg00214.html
> 
> Quoting the manpage which gives http-URLs to use:
> 
>        --location OPTIONS
> ...
>            Debian
>                http://ftp.us.debian.org/debian/dists/stable/main/instal
> ler-amd64/
> 
>            Ubuntu
>                http://us.archive.ubuntu.com/ubuntu/dists/wily/main/inst
> aller-amd64/
> 
> A workaround is to replace the recommended http URLs with https URLs. 
> I checked that CA verification of the domain name works.  This gives
> some protection, but far from a GnuPG-based verification that would be
> ideal.

Upstream switched to https URLs with two commits:
- a712549b2b9b0100907878fea18442be68b8d35f [1]
- b1460ba0654c00527c8d5632d69b30c7030dc182 [2]
which are both available in virt-manager 2.0.0.

Note that even before the above fixes it was possible to pass https
URLs to the installer location.

Also, the upstream bug rh#1632132 [3] was recently closed, also for
low priorities and not much interest shown in it. I'd tend to close
this bug as well, however I'm not strongly for it.

[1] https://github.com/virt-manager/virt-manager/commit/a712549b2b9b0100907878fea18442be68b8d35f
[2] https://github.com/virt-manager/virt-manager/commit/b1460ba0654c00527c8d5632d69b30c7030dc182
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1632132

-- 
Pino Toscano

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.