Bug 1253882 (CVE-2015-5201)

Summary: CVE-2015-5201 RHEV: vdsm spice disable-ticketing and VM suspend and restore allows auth bypass
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, alonbl, bazulay, berrange, bmcclain, chrisw, dblechte, eblake, ecohen, fdeutsch, gklein, idith, iheim, jdenemar, jsuchane, knoel, kseifried, lpeer, lsurette, michal.skrivanek, nlevinki, nobody, pkrempa, pstehlik, rbalakri, rfortier, security-response-team, sgirijan, shtripat, sisharma, smohan, ssaha, vbellur, ycui, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-23 04:14:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1234197, 1254164    
Bug Blocks: 1253883    

Description Kurt Seifried 2015-08-15 00:36:01 UTC 
Michal Skrivanek of Red Hat reports:

If vdsm is run with -spice disable-ticketing and a VM is suspended and then
restored any remote user will be allowed to connect without authentication.
Comment 1 Kurt Seifried 2015-08-15 00:51:03 UTC 
Acknowledgement:

This issue was discovered by Michal Skrivanek of Red Hat.
Comment 2 Kurt Seifried 2015-08-19 22:52:02 UTC 
not sure if this is going into 3.4.5.1 or 3.5.5, either way 3.4.5 is still not out so it's a moot point right now.
Comment 3 Kurt Seifried 2015-08-21 17:22:08 UTC 
*** Bug 1254661 has been marked as a duplicate of this bug. ***
Comment 4 Kurt Seifried 2015-08-22 02:24:42 UTC 
The libvirt side of this is not a security issue, but the libvirt interaction with vdsm is a problem.
Comment 5 Jaroslav Suchanek 2015-08-25 13:42:12 UTC 
As for the libvirt side, all patches fixing the issue are already upstream and backported in the 7.1.z counterpart (bug 1255859).

Please advice how we should proceed. Is it possible to release the fix in the next z-stream batch release (end of 2015-09)?
Comment 6 Kurt Seifried 2015-08-27 14:59:13 UTC 
(In reply to Jaroslav Suchanek from comment #5)
> As for the libvirt side, all patches fixing the issue are already upstream
> and backported in the 7.1.z counterpart (bug 1255859).
> 
> Please advice how we should proceed. Is it possible to release the fix in
> the next z-stream batch release (end of 2015-09)?

That's fine by me, I have no real say over what happens with non security bugs though, but obviously would appreciate this being fixed sooner rather than later.
Comment 7 Fabian Deutsch 2015-10-06 17:43:06 UTC 
Michal, do you know if any additional patches from the vdsm side are required to fix this?
Comment 8 Michal Skrivanek 2015-10-09 10:37:31 UTC 
no, just "Requires:" done in https://gerrit.ovirt.org/#/c/46214/ (corresponding bug 1262783)
Comment 9 Kurt Seifried 2015-12-23 04:14:49 UTC 
Statement:

This issue was fixed in RHSA-2015-2527 (https://rhn.redhat.com/errata/RHEA-2015-2527.html) in the rhev-hypervisor package.