Bug 1180092 - When set/update graphics password to empty, log in guest with spice and vnc show different behaviour
Summary: When set/update graphics password to empty, log in guest with spice and vnc s...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jiri Denemark
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Keywords:
: 969542 (view as bug list)
Depends On:
Blocks: CVE-2016-5008
TreeView+ depends on / blocked
 
Reported: 2015-01-08 10:38 UTC by vivian zhang
Modified: 2016-11-03 18:11 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-03 18:11:26 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2577 normal SHIPPED_LIVE Moderate: libvirt security, bug fix, and enhancement update 2016-11-03 12:07:06 UTC
Red Hat Bugzilla 969542 None None None Never

Internal Trackers: 969542

Description vivian zhang 2015-01-08 10:38:44 UTC
Description of problem:
When set/update graphics password to empty, log in guest with spice and vnc show different behaviour. For spice login failed always, for vnc login success without input any password.

Version-Release number of selected component (if applicable):
libvirt-1.2.8-11.el7.x86_64
qemu-kvm-rhev-2.1.2-17.el7.x86_64
3.10.0-220.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
 1. Define guest with a graphics device like:
    .........................................
      <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' passwd=''>
      <listen type='address' address='0.0.0.0'/>
    </graphics>

    .........................................

 2. Start guest, and xonnecting with virt-viewer .
      # virsh start rhel7

    # virsh dumpxml rhel7 --security-info |grep graphics -A 2
    <graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' passwd=''>
      <listen type='address' address='0.0.0.0'/>
    </graphics>


      # virt-viewer rhel7
open the window without input any password, just click "OK" button, guest can be login success with empty password for vnc graphics

 3. The problem can be reproduced when changed the graphics passwd from an non-empty to an empty
    # virsh dumpxml rhel7 --security-info |grep graphics -A 2
    <graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' passwd='123'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>


    # cat change-passwd.xml
    <graphics type='vnc' port='-1' autoport='yes'  listen='0.0.0.0' passwd=''/>
    # virsh update-device rhel7 change-passwd.xml

    # virsh dumpxml rhel7 --security-info  |grep graphics -A 2
    <graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' passwd=''>
      <listen type='address' address='0.0.0.0'/>
    </graphics>


    login the guest with virt-viewer command
    # virt-viewer rhel7
    also can connect the guest success with empty password

4. produce the above steps on RHEL6.6 libvirt-0.10.2-46.el6.x86_64, the guest can not be connected when set graphics vnc password to empty, the same result with bug 859317.

5. retest step 1-4 when configure guest with
# virsh dumpxml rhel7 --security-info  |grep graphics -A 2
    <graphics type='spice' port='5900' autoport='yes' listen='0.0.0.0' passwd=''>
      <listen type='address' address='0.0.0.0'/>
    </graphics>

6. start guest and connect with virt-viewer failed
# virt-viewer rhel7
open the window without input any password, just click "OK" button, guest can not be login success with empty password for spice graphics, an error pop-up with "Unable to authenticate with remote desktop server:invalid password".

try with different password value, such as "NULL, null, none, blank" all failed.

7. when update spice graphics password to empty, guest can not be login also



Actual results:
When set/update graphics password to empty, log in guest with spice and vnc show different behaviour. For spice login failed always, for vnc login success always.

Expected results:
when set/update graphics password to empty, log in guest with spice and vnc should show the same behavior. It should be all permitted, or all forbidden.

Comment 5 Cole Robinson 2016-04-14 21:24:53 UTC
I dug into this a bit. I don't plan on working on it, I just figured I'd report my findings.

vnc password="" lets the user auth with an empty password. spice password="" will give a password prompt but not accept _any_ password, effectively blocking usage of the viewer. The spice behavior is the semantics documented in qemu.conf, so the vnc_password docs are presently wrong

VNC password support added to libvirt, presumably with the qemu.conf semantics intact:

commit 38017949080674d65d580905dbe88ca3685a93cd
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Thu Jan 29 17:50:00 2009 +0000

    Support VNC password setting in QEMU driver


Not long after, the vnc password="" behavior is broken in qemu 0.12.0. password="" fully turns off password auth, so not even a prompt:

commit 52c18be9e99dabe295321153fda7fce9f76647ac
Author: Zachary Amsden <zamsden@redhat.com>
Date:   Thu Jul 30 00:15:01 2009 -1000

    When using stdio monitor and VNC display, one can set or clear a VNC password; this should set or turn off VNC authentication as well.


Eventually people notice, https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/697197 is filed that libvirt's documented behavior is wrong. This turns into the qemu 0.14.0 commit:

    commit 1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b
    Author: Anthony Liguori <aliguori@us.ibm.com>
    Date:   Mon Jan 31 14:27:36 2011 -0600

        vnc: Fix password expiration through 'change vnc ""' (v2)

So that revived the old behavior of the monitor command: change vnc password "" . However also in 0.14.0 the set_password command was added (which has more options and works for spice too).

The set_password command deliberately does _not_ have the documented semantics for VNC: password="" is treated as an empty string password. The commit suggests adding a new command to handle blocking password access entirely rather than overloading things.

Confusingly enough, set_password for spice with password="" _does_ keep the libvirt documented semantics :) Spice may just not allow empty string passwords though, I didn't investigate

Eventually libvirt grows qmp support, and the only command converted to qmp is set_password, whose semantics haven't changed to this day. So any qemu that libvirt uses qmp with will show this bug.

I think all the bits are inplace to fix it though using the expire_time monitor command which libvirt already supports. 'expire_time now' looks like it gives the expected semantics of showing a password dialog but no passwords are considered valid. I haven't actually tested it though.

Comment 6 Cole Robinson 2016-04-14 21:26:12 UTC
*** Bug 969542 has been marked as a duplicate of this bug. ***

Comment 7 Jiri Denemark 2016-06-30 08:34:16 UTC
This issue is now fixed upstream by v2.0.0-rc2-3-gbb848fe:

commit bb848feec0f3f10e92dd8e5231ae7aa89b5598f3
Author:     Jiri Denemark <jdenemar@redhat.com>
AuthorDate: Tue Jun 28 14:39:58 2016 +0200
Commit:     Jiri Denemark <jdenemar@redhat.com>
CommitDate: Thu Jun 30 10:20:44 2016 +0200

    qemu: Let empty default VNC password work as documented
    
    CVE-2016-5008
    
    Setting an empty graphics password is documented as a way to disable
    VNC/SPICE access, but QEMU does not always behaves like that. VNC would
    happily accept the empty password. Let's enforce the behavior by setting
    password expiration to "now".
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1180092
    
    Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

Comment 9 yanqzhan@redhat.com 2016-07-06 09:43:21 UTC
Reproduce this bug with libvirt-1.2.17-13.el7_2.5.x86_64. 
steps and results are as comment 0.

Verify this bug with libvirt-2.0.0-1.el7.x86_64.
Steps to Verify:

 1. Define a guest with vnc graphics device like:
    .........................................
      <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' passwd=''>
      <listen type='address' address='0.0.0.0'/>
    </graphics>
    .........................................

 2. Start guest, and connect with virt-viewer .
#virsh start testvm
Domain testvm started
#virsh dumpxml testvm --security-info  |grep graphics -A2
     <graphics type='vnc' port='5901' autoport='yes' listen='0.0.0.0' passwd=''>
      <listen type='address' address='0.0.0.0'/>
    </graphics>

#virt-viewer testvm
open the window without input any password, just click "OK" button, guest can not be login, with following error occurred"
"Unable to authenticate with remote desktop server at localhost:5901: Authentication failed
Retry connection again?"

 3. The problem can also be tested when change the graphics passwd from a non-empty to an empty.
    # virsh dumpxml testvm --security-info |grep graphics -A 2
    <graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' passwd='123'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>
(can login guest with passwd 123 now.)

    # cat change-passwd.xml
    <graphics type='vnc' port='-1' autoport='yes'  listen='0.0.0.0' passwd=''/>

    # virsh update-device testvm change-passwd.xml
   Device updated successfully

    # virsh dumpxml testvm --security-info  |grep graphics -A 2
    <graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' passwd=''>
      <listen type='address' address='0.0.0.0'/>
    </graphics>

    # virt-viewer testvm
    can not connect the guest with empty password either.

4.retest step 1-3 when configure guest with
# virsh dumpxml testvm --security-info  |grep graphics -A 2
    <graphics type='spice' port='5900' autoport='yes' listen='0.0.0.0' passwd=''>
      <listen type='address' address='0.0.0.0'/>
    </graphics>

5.start guest and connect with virt-viewer failed
# virt-viewer testvm
open the window without input any password, just click "OK" button, guest can not be login successfully, an error pop-up with "Unable to authenticate with remote desktop server: Invalid password".

try with different password value, such as "NULL, null, none, blank, 'space' key " all failed.

6. when update spice graphics password from non-empty to empty, guest can not be login either.

Since the result is as expected, mark this bug verified.

Comment 11 errata-xmlrpc 2016-11-03 18:11:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2577.html


Note You need to log in before you can comment on or make changes to this bug.