Bug 1151798

Summary: virt-manager/spice: USB devices are generally redirected to VMs
Product: [Fedora] Fedora Reporter: Christoph Anton Mitterer <calestyo>
Component: virt-managerAssignee: Cole Robinson <crobinso>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 22CC: agx, berrange, crobinso, pmatouse, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-24 22:33:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christoph Anton Mitterer 2014-10-11 23:43:03 UTC 
Hi.

Quoting myself from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764894:



Hi.

Not sure whether the problem here is actually in virt-manager, libvirt
or spice-client-glib-usb-acl-helper.
So pleace redirect as necessary.


I've just noted a very serious behaviour (which is also why I marked
it as critical and root security hole):

It seems that when plugging an USB device into ay computer where
I run virtmanager and where I'm connected to some VMs via SPICE,
that such USB devices are forwarded to that VM. o.O

I wonder how it chooses to which the device is redirected if there
are more VMs connected.


Now SPICE seemst to be the default for newly created VMs via libvirt
and the SPICE USB Redirector devices are created per default as well.
Also this isn't like the "USB Host Device" hardware in
virtmanager/libvirt/qemu, where one at least has to select *which*
USB device is connected.


Now since VM's are often used by people as kind of jails, e.g. running
untrustworthy OSes or programs in it, or since the VM may be just on
any remote server (from work or wherever), redirecting USB devices
without asking is IMHO a great security hole.
The USB device could contain just anything, my most recent hard disk
backup (and thus root passwords, dmcrypt keys etc). or my private
picture collection.


The 2nd critical security aspect of this:
A normal user(!) is apparently allowed to redirect a hardware device.
Not sure whether this is the typical policykit problem that locally
logged in users are handled as if they were root... but hell, one
cannot simply give normal users full access to USB devices if root
hasn't manually allowed them.


Cheers,
Chris
Comment 1 Christoph Anton Mitterer 2014-10-11 23:43:20 UTC 
After some thinking I'd guess that there are actually two bugs:

1) That virt-manager automatically redirects without asking (because
apparently it now has a menu (Virtual Machine/Redirect USB Device) which
should do just that.
Actually IMHO it should generally happen only manually, because it's
quite annoying if everytime I put in some USB device, all my
virt-manager consoles would ask for it.

2) A security hole in the polkit configuration, in that it allows any
user actually redirect - and via that - gain full access to such USB
device.


So only if root has manually (via configuration) allowed a user to
redirect all or specific USB devices polkit should even grant the whole
thing.
But even then, it shouldn't happen automatically, but only when the user
really says "oh, yeah,... go and redirect".


Cheers,
Chris.
Comment 2 Christoph Anton Mitterer 2014-10-11 23:48:44 UTC 
After some longer searching (the documentation of libvirt/virtmanager is really... well... not existent in so many fields :-( ) I found this:

https://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/Virtualization_Deployment_and_Administration_Guide/sect-limit-redirection.html


This is of course no solution to the issues described above, since this is on the server side,... i.e. it would be just a voluntary "no we don't steal access to your USB devices" by some potential attacker.



but btw:
   <redirfilter>
      <usbdev class='0x08' vendor='0x0951' product='0x1625' version='2.0' allow='yes'/>
      <usbdev allow='no'/>
    </redirfilter>

Okay one can probably guess what class/vendor/product are (even though USB knows several kinds of classes),... but what's version? The USB bus version? If so it seems to not work, cause I connected a USB2.0 device on a ehci (on the host), and the guest was configured to USB2 as well, ... but the filter didn't match - removing the version='2.0'... and it got matched however.
Comment 3 Guido Günther 2014-10-12 17:59:49 UTC 
The setting is 

org.virt-manager.virt-manager.console.auto-redirect

to turn this off by default.
Comment 4 Christoph Anton Mitterer 2014-10-13 00:39:43 UTC 
In Debian, this has been fixed now by Guido, at least on the virt-viewer side.


But the following remain:
1) I just checked and the same problem issue exists in virt-viewer, i.e. USB devices are automatically redirected.
This is now Debian bug #765016.

2) The issue (2) I describe in comment #1 above, of course exists as well.
In Debian I've opened bug #765017 for that.

3) Are there other SPICE clients, known to upstream, which may be prone to these issues as well? In Debian there seems to be at least spice-client-gtk, vinagre and gnome-boxes which make use of the spice libs.


Cheers,
Chris.
Comment 5 Cole Robinson 2014-10-13 15:13:26 UTC 
Thanks for the report, but I don't see this behavior as a bug, or a default that needs to change. This feature is mostly made useful by its 'out of the box' behavior.

Another way to disable it is to go Edit->Preferences->New VM->Add Spice USB redirection which will remove the device magic that makes redirection happen.

The polkit rules should only work for the current active user, on the current seat, which means it should only work when the user at the physical machine plugs in a USB device. Meaning they should be expected to have access to it. If my understanding is incorrect and you still think there's a security implication, please open a bug against spice-gtk which provides this behavior.
Comment 6 Jaroslav Reznik 2015-03-03 16:21:39 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 7 Cole Robinson 2015-03-24 22:33:30 UTC 
Closing due to comment #5
Comment 8 Christoph Anton Mitterer 2015-03-24 22:59:13 UTC 
It's simply outrageous how upstream "deals" with the security of their user's data.

Why not just directly passing all host /dev/* on to the VM,... would make life for an attacker much easier.... o.O