It was found that after virtual machine conversion using virt-v2v the target VM does not have VNC password enabled even though the source VM does. An attacker able to connect to the target VM can possibly use this flaw to operate the VM with privileges of the logged in user.
+++ This bug was initially created as a clone of Bug #665347 +++
It also occurs with virt-v2v-0.6.3-4.el5.
+++ This bug was initially created as a clone of Bug #665345 +++
Created attachment 470410 [details]
log from LIBGUESTFS_TRACE=1
Description of problem:
Libvirt supports guests to have VNC encrypt when accessing guest via VNC. But after conversion, users won't be asked to enter VNC password.
BTW: It works on migrating guest (#virsh migrate...)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. LIBGUESTFS_TRACE=1 virt-v2v -ic xen+ssh://<ip> -op <pool> rhel5u6-32b-pv-vnc-passwd --network default 2>&1 >passwd.log
2. Start and run the converted guest
VNC encrypt will miss
VNC encrypt still exists, so when accessing guest via VNC users will be asked to enter password
xml of source image
#virsh edit rhel5u6-32b-pv-vnc-passwd
<type arch='x86_64' machine='xenpv'>linux</type>
<disk type='file' device='disk'>
<driver name='tap' type='aio'/>
<target dev='xvda' bus='xen'/>
<input type='mouse' bus='xen'/>
<graphics type='vnc' port='-1' autoport='yes' keymap='en-us' passwd='redhat'/>
It is not possible to fix this without a change to the libvirt perl bindings. I've filed appropriate bugs (bug 705791 and bug 705792) against perl-Sys-Virt in RHEL 5 and RHEL 6. Time constraints make it highly unlikely this bug will be fixed for RHEL 5.7.
Some more information: This bug only affects conversions when a guest is being converted to run on a RHEL/libvirt target hypervisor. RHEV does not allow a VNC password to be specified, so this bug is not applicable there.
During conversion to RHEL/libvirt, virt-v2v currently entirely ignores the guest's existing display configuration, and replaces it with:
<graphics type='vnc' port='-1' listen='127.0.0.1'/>
That is, the converted guest will always use VNC on the localhost interface with an automatically allocated port number. The scope of the loss of the VNC password is therefore limited to:
1. Conversions where the target is libvirt/RHEL (not RHEV) and
2. The target hypervisor allows unprivileged logins for users who are not also administrators.
I think in practise this scope is extremely small and could be handled with a release note until the perl bindings can be updated.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:1615 https://rhn.redhat.com/errata/RHSA-2011-1615.html