[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3] doc: document that the monitor console is a
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] [PATCH v3] doc: document that the monitor console is a privileged control interface |
Date: |
Thu, 11 Jul 2019 12:37:12 +0200 |
User-agent: |
Mutt/1.12.0 (2019-05-25) |
On Fri, Jul 05, 2019 at 04:41:54PM +0100, Daniel P. Berrangé wrote:
> A supposed exploit of QEMU was recently announced as CVE-2019-12928
> claiming that the monitor console was insecure because the "migrate"
> command enabled arbitrary command execution for a remote attacker.
>
> To be a security risk the user launching QEMU must have configured
> the monitor in a way that allows for other users to access it. The
> exploit report quoted use of the "tcp" character device backend for
> QMP.
>
> This would indeed allow any network user to connect to QEMU and
> execute arbitrary commands, however, this is not a flaw in QEMU.
> It is the normal expected behaviour of the monitor console and the
> commands it supports. Given a monitor connection, there are many
> ways to access host file system content besides the migrate command.
>
> The reality is that the monitor console (whether QMP or HMP) is
> considered a privileged interface to QEMU and as such must only
> be made available to trusted users. IOW, making it available with
> no authentication over TCP is simply a, very serious, user
> configuration error not a security flaw in QEMU itself.
>
> The one thing this bogus security report highlights though is that
> we have not clearly documented the security implications around the
> use of the monitor. Add a few paragraphs of text to the security
> docs explaining why the monitor is a privileged interface and making
> a recommendation to only use the UNIX socket character device backend.
>
> Reviewed-by: Alex Bennée <address@hidden>
> Reviewed-by: Markus Armbruster <address@hidden>
> Reviewed-by: Prasad J Pandit <address@hidden>
> Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
> Signed-off-by: Daniel P. Berrangé <address@hidden>
> ---
>
> Changed in v3:
>
> - More copy editing from review feedback (Markus, PJP, Alex)
>
> Changed in v2:
>
> - Addressed misc typos (Eric / Philippe)
>
> docs/security.texi | 36 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 36 insertions(+)
Reviewed-by: Stefan Hajnoczi <address@hidden>
signature.asc
Description: PGP signature