| Summary: | app-emulation/qemu-kvm: setting VNC password to empty string silently disables all authentication (CVE-2011-0011) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | qemu+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=668589 | ||
| Whiteboard: | B4 [ebuild] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Paweł Hajdan, Jr. (RETIRED)
2011-01-28 18:20:59 UTC
As far as I understand it, an empty password means no authentication. See explanation here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134#10 No. An empty password means no(In reply to comment #1) > As far as I understand it, an empty password means no authentication. > > See explanation here: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611134#10 > Incorrect. You're grabbing the opinion of some person commenting on a Debian bug. The actual documentation reads as follows: # The default VNC password. Only 8 letters are significant for # VNC passwords. This parameter is only used if the per-domain # XML config does not already provide a password. To allow # access without passwords, leave this commented out. An empty # string will still enable passwords, but be rejected by QEMU # effectively preventing any use of VNC. This was determined to not be an error at all but in fact a misunderstanding of how VNC authentication worked. A blank password is meant to remove authentication and that's how applications that use qemu-kvm expect it to behave. CVE-2011-0011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0011): qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions. |
