[Libvirt-announce] LSN-2017-0002 - TLS certificate verification disabled for clients
by Daniel P. Berrange
Libvirt Security Notice: LSN-2017-0002
======================================
Summary: TLS certificate verification disabled for clients
Reported on: 20171005
Published on: 20171016
Fixed on: 20171016
Reported by: Daniel P. Berrange <berrange(a)redhat.com>
Patched by: Daniel P. Berrange <berrange(a)redhat.com>
See also: CVE-2017-1000256
Description
-----------
The default_tls_x509_verify (and related) parameters in qemu.conf
control whether the TLS servers in QEMU request & verify
certificates from clients. This works as a simple access control
system for QEMU servers by requiring the CA to issue certs to
permitted clients. This use of client certificates is disabled by
default, since it requires extra work to issue client certificates.
Unfortunately the libvirt code was using these configuration
parameters when setting up both TLS clients and servers in QEMU. The
result was that TLS clients for character devices and disk devices
had verification turned off, meaning they would ignore any errors
while validating the server certificate.
Impact
------
A MITM attacker can attack any client connection made by QEMU's
character devices and disk devices which have TLS enabled. The
attacker can send an arbitrary certificate back to the client QEMU
and it will ignore all errors that result during validation.
Workaround
----------
Enable the 'default_tls_x509_verify' parameter in qemu.conf restart
libvirtd. This will trigger libvirt to turn on certificate
verification in QEMU clients. Unfortunately this will also turn on
use of client certificates in QEMU servers.
Affected product
----------------
Name: libvirt
Repository: git://libvirt.org/git/libvirt.git
http://libvirt.org/git/?p=libvirt.git
Branch: master
Broken in: v2.3.0
Broken in: v2.4.0
Broken in: v2.5.0
Broken in: v3.0.0
Broken in: v3.1.0
Broken in: v3.2.0
Broken in: v3.3.0
Broken in: v3.4.0
Broken in: v3.5.0
Broken in: v3.6.0
Broken in: v3.7.0
Broken in: v3.8.0
Fixed in: v3.9.0
Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5
Fixed by: 441d3eb6d1be940a67ce45a286602a967601b157
Branch: v3.0-maint
Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5
Fixed by: 16daadc708be65c2681f54d33ac4004ccaf6e82d
Branch: v3.2-maint
Broken in: v3.2.1
Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5
Fixed by: 9e6bc47bb541d8eea10cdd5704ea7f5e699bf0ba
Branch: v3.7-maint
Broken by: ce61c16450d4992612d1fc6f39a39e79bfccead5
Fixed by: dc6c41798d1eb5c52c75365ffa22f7672709dfa7
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
7 years, 2 months
[Libvirt-announce] Release of libvirt-3.8.0
by Daniel Veillard
I tagged the tree and pushed the release earlier today, signed tarball
and rpms should be available at the usual place:
ftp://libvirt.org/libvirt/
I also pushed the associated 3.8.0 for the python bindings which can be
found in the python subdir:
ftp://libvirt.org/libvirt/
This is a balanced release with new features especially for Qemu/KVM,
a reasonable set of improvement and bugs fixes:
New features:
-------------
- qemu: Added support for cold-(un)plug of watchdog devices
- qemu: Added support for setting IP address os usernet interfaces
- qemu: Added support for Veritas Hyperscale (VxHS) block devices
- storage: Added new events for pool-build and pool-delete
Improvements:
-------------
- qemu: Set DAC permissions properly for spice rendernode
When a rendernode path is set for SPICE GL on qemu:///system, we now
correctly set DAC permissions on the device at VM startup. This is the
last remaining hurdle to let SPICE GL work for qemu:///system without
any external host changes.
- nodedev: Add switchdev offload query to NIC capabilities
Allow querying the NIC interface capabilities for the availability of
switchdev offloading (also known as kernel-forward-plane-offload).
- New CPU models for AMD and Intel
AMD EPYC and Intel Skylake-Server CPU models were added together with
their features
- Improve long waiting when saving a domain
While waiting for a write to disk to be finished, e.g. during save,
even simple operations like virsh list would be blocking due to domain
lock. This is now resolved by unlocking the domain in places where it
is not needed.
* Bug fixes:
------------
- Proper units are now used in virsh manpage for dom(mem)stats
Previously the documentation used multiples of 1000, but now it is
fixed to use multiples of 1024.
- qemu: Fix error reporting when disk attachment fails
There was a possibility for the actual error to be overridden or
cleared during the rollback.
- qemu: Fix assignment of graphics ports after daemon restart
This could be seen with newer kernels that have bug regarding
SO_REUSEADDR. After libvirtd was restarted it could assign already used
address to new guests which would make them fail to start. This is
fixed by marking used ports unavailable when reconnecting to running
QEMU domains.
- Fix message decoding which was causing a very strange bug
When parsing an RPC message with file descriptors was interrupted and
had to restart, the offset of the payload was calculated badly causing
strange issues like not being able to find a domain that was not
requested.
thanks everybody who contributed to this release with bug reports, patches,
reviews, documentation, etc ...
Enjoy the release !
Daniel
--
Daniel Veillard | Red Hat Developers Tools http://developer.redhat.com/
veillard(a)redhat.com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | virtualization library http://libvirt.org/
7 years, 2 months