Bug 668589 (CVE-2011-0011)

Summary: CVE-2011-0011 qemu-kvm: Setting VNC password to empty string silently disables all authentication
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lcapitulino, mkenneth, tburke, virt-maint, vkrizan, wnefal+redhatbugzilla, zamsden
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 13:39:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 667976, 668598, 680886    
Bug Blocks:    
Description Flags
Fix to vnc password semantics none

Description Petr Matousek 2011-01-10 20:45:01 UTC
Description of problem:
The semantics of the ',password' option to -vnc are that it enables the VNC auth scheme. If the VNC server password is unset or empty string, all attempts to authenticate with the server will be explicitly blocked.

This allows applications to enable and selectively allow access for a period of time, before clearing the password again to prevent further access.

Upstream changes have introduced a flaw by disabling all authentication when the password was cleared with upstream commit [1].

[1] http://www.qemu.com/qemu.git/commit/?id=52c18be9e99dabe295321153fda7fce9f76647ac

Comment 4 Neil Wilson 2011-01-28 18:02:42 UTC
Created attachment 475841 [details]
Fix to vnc password semantics

This patch corrects the flaw in qemu-kvm

Please see http://launchpad.net/bugs/697197 for testing performed.

Comment 5 Petr Matousek 2011-02-28 11:09:05 UTC
Created qemu tracking bugs for this issue

Affects: fedora-all [bug 680886]

Comment 6 errata-xmlrpc 2011-03-10 20:11:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0345 https://rhn.redhat.com/errata/RHSA-2011-0345.html

Comment 7 Petr Matousek 2012-03-30 17:33:58 UTC

This issue does not affect versions of kvm package as shipped with Red Hat Enterprise Linux 5.