Bug 702754 (CVE-2011-1773) - CVE-2011-1773 virt-v2v: vnc password protection is missing after vm conversion
Summary: CVE-2011-1773 virt-v2v: vnc password protection is missing after vm conversion
Alias: CVE-2011-1773
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 665345 665347
TreeView+ depends on / blocked
Reported: 2011-05-06 20:23 UTC by Petr Matousek
Modified: 2019-09-29 12:44 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-07-29 12:44:48 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1615 0 normal SHIPPED_LIVE Low: virt-v2v security and bug fix update 2011-12-06 00:51:05 UTC

Description Petr Matousek 2011-05-06 20:23:48 UTC
It was found that after virtual machine conversion using virt-v2v the target VM does not have VNC password enabled even though the source VM does. An attacker able to connect to the target VM can possibly use this flaw to operate the VM with privileges of the logged in user.

Comment 1 Petr Matousek 2011-05-06 20:24:36 UTC
+++ This bug was initially created as a clone of Bug #665347 +++

It also occurs with virt-v2v-0.6.3-4.el5.

+++ This bug was initially created as a clone of Bug #665345 +++

Created attachment 470410 [details]

Description of problem:
Libvirt supports guests to have VNC encrypt when accessing guest via VNC. But after conversion, users won't be asked to enter VNC password. 

BTW: It works on migrating guest (#virsh migrate...) 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  LIBGUESTFS_TRACE=1 virt-v2v -ic xen+ssh://<ip> -op <pool> rhel5u6-32b-pv-vnc-passwd --network default 2>&1 >passwd.log

2. Start and run the converted guest

Actual results:
VNC encrypt will miss

Expected results:
VNC encrypt still exists, so when accessing guest via VNC users will be asked to enter password

Additional info:
xml of source image
#virsh edit rhel5u6-32b-pv-vnc-passwd
<domain type='xen'>
    <type arch='x86_64' machine='xenpv'>linux</type>
  <clock offset='utc'/>
    <disk type='file' device='disk'>
      <driver name='tap' type='aio'/>
      <source file='/var/lib/xen/images/rhel5u6-32b-pv-vnc-passwd.img'/>
      <target dev='xvda' bus='xen'/>
    <interface type='bridge'>
      <mac address='00:16:36:3e:eb:1b'/>
      <source bridge='xenbr0'/>
      <script path='vif-bridge'/>
    <console type='pty'>
      <target port='0'/>
    <input type='mouse' bus='xen'/>
    <graphics type='vnc' port='-1' autoport='yes' keymap='en-us' passwd='redhat'/>

Comment 3 Matthew Booth 2011-05-18 14:04:03 UTC
It is not possible to fix this without a change to the libvirt perl bindings. I've filed appropriate bugs (bug 705791 and bug 705792) against perl-Sys-Virt in RHEL 5 and RHEL 6. Time constraints make it highly unlikely this bug will be fixed for RHEL 5.7.

Some more information: This bug only affects conversions when a guest is being converted to run on a RHEL/libvirt target hypervisor. RHEV does not allow a VNC password to be specified, so this bug is not applicable there.

During conversion to RHEL/libvirt, virt-v2v currently entirely ignores the guest's existing display configuration, and replaces it with:

<graphics type='vnc' port='-1' listen=''/>

That is, the converted guest will always use VNC on the localhost interface with an automatically allocated port number. The scope of the loss of the VNC password is therefore limited to:

1. Conversions where the target is libvirt/RHEL (not RHEV) and
2. The target hypervisor allows unprivileged logins for users who are not also administrators.

I think in practise this scope is extremely small and could be handled with a release note until the perl bindings can be updated.

Comment 5 errata-xmlrpc 2011-12-06 14:49:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1615 https://rhn.redhat.com/errata/RHSA-2011-1615.html

Note You need to log in before you can comment on or make changes to this bug.