[Secure-testing-team] Bug#764894: virt-manager: USB devices are generally redirected to VMs
Christoph Anton Mitterer
calestyo at scientia.net
Sat Oct 11 22:42:45 UTC 2014
Package: virt-manager
Version: 1:1.0.1-2.1
Severity: critical
Tags: security
Justification: root security hole
Hi.
Not sure whether the problem here is actually in virt-manager, libvirt
or spice-client-glib-usb-acl-helper.
So pleace redirect as necessary.
I've just noted a very serious behaviour (which is also why I marked
it as critical and root security hole):
It seems that when plugging an USB device into ay computer where
I run virtmanager and where I'm connected to some VMs via SPICE,
that such USB devices are forwarded to that VM. o.O
I wonder how it chooses to which the device is redirected if there
are more VMs connected.
Now SPICE seemst to be the default for newly created VMs via libvirt
and the SPICE USB Redirector devices are created per default as well.
Also this isn't like the "USB Host Device" hardware in
virtmanager/libvirt/qemu, where one at least has to select *which*
USB device is connected.
Now since VM's are often used by people as kind of jails, e.g. running
untrustworthy OSes or programs in it, or since the VM may be just on
any remote server (from work or wherever), redirecting USB devices
without asking is IMHO a great security hole.
The USB device could contain just anything, my most recent hard disk
backup (and thus root passwords, dmcrypt keys etc). or my private
picture collection.
The 2nd critical security aspect of this:
A normal user(!) is apparently allowed to redirect a hardware device.
Not sure whether this is the typical policykit problem that locally
logged in users are handled as if they were root... but hell, one
cannot simply give normal users full access to USB devices if root
hasn't manually allowed them.
Cheers,
Chris
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages virt-manager depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.22.0-1
ii gconf2 3.2.6-3
ii gir1.2-gtk-3.0 3.14.1-1
ii gir1.2-gtk-vnc-2.0 0.5.3-1.2
ii gir1.2-libvirt-glib-1.0 0.1.7-2.1
ii gir1.2-spice-client-gtk-3.0 0.25-1
ii gir1.2-vte-2.90 1:0.36.3-1
ii librsvg2-common 2.40.4-1
ii python-dbus 1.2.0-2+b3
ii python-gi 3.14.0-1
ii python-gi-cairo 3.14.0-1
ii python-ipaddr 2.1.11-2
ii python-libvirt 1.2.8-1
ii python-urlgrabber 3.9.1-4
pn python2.7:any <none>
pn python:any <none>
ii virtinst 1:1.0.1-2.1
Versions of packages virt-manager recommends:
ii gnome-icon-theme 3.12.0-1
ii libvirt-daemon 1.2.9-2
ii python-spice-client-gtk 0.25-1
Versions of packages virt-manager suggests:
ii gnome-keyring 3.14.0-1
ii python-gnomekeyring 2.32.0+dfsg-3
pn python-guestfs <none>
pn ssh-askpass <none>
pn virt-viewer <none>
-- no debconf information
More information about the Secure-testing-team
mailing list