[Pkg-virtualbox-devel] Bug#760569: Virtualbox lets any user mess with system's network configuration
Ritesh Raj Sarraf
rrs at researchut.com
Fri Sep 5 14:00:58 UTC 2014
On Friday 05 September 2014 06:35 PM, Evgeny Kapun wrote:
> Virtualbox lets any local user create and configure network interfaces (vboxnet*), and also send and receive traffic through them. It also lets users bridge their VMs to other network interfaces. Normally, such operations are reserved for users with CAP_NET_ADMIN capability for a good reason. Such actions can be used to disrupt other users' communications, capture their network traffic and even perform MITM attacks against them.
THanks for this bug report. After your bug report, I went and checked
the number of setuid binaries and there are many.
We should contain these to a single user/group (like in libvirt does).
That should be a good start.
--
Ritesh Raj Sarraf
RESEARCHUT - http://www.researchut.com
"Necessity is the mother of invention."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20140905/c5c69bc5/attachment.html>
More information about the Pkg-virtualbox-devel
mailing list