Re: [Qemu-devel] [PATCH v3] doc: document that the monitor console is a

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3] doc: document that the monitor console is a

From:	Stefan Hajnoczi
Subject:	Re: [Qemu-devel] [PATCH v3] doc: document that the monitor console is a privileged control interface
Date:	Thu, 11 Jul 2019 12:37:12 +0200
User-agent:	Mutt/1.12.0 (2019-05-25)

On Fri, Jul 05, 2019 at 04:41:54PM +0100, Daniel P. Berrangé wrote:
> A supposed exploit of QEMU was recently announced as CVE-2019-12928
> claiming that the monitor console was insecure because the "migrate"
> command enabled arbitrary command execution for a remote attacker.
> 
> To be a security risk the user launching QEMU must have configured
> the monitor in a way that allows for other users to access it. The
> exploit report quoted use of the "tcp" character device backend for
> QMP.
> 
> This would indeed allow any network user to connect to QEMU and
> execute arbitrary commands, however, this is not a flaw in QEMU.
> It is the normal expected behaviour of the monitor console and the
> commands it supports. Given a monitor connection, there are many
> ways to access host file system content besides the migrate command.
> 
> The reality is that the monitor console (whether QMP or HMP) is
> considered a privileged interface to QEMU and as such must only
> be made available to trusted users. IOW, making it available with
> no authentication over TCP is simply a, very serious, user
> configuration error not a security flaw in QEMU itself.
> 
> The one thing this bogus security report highlights though is that
> we have not clearly documented the security implications around the
> use of the monitor. Add a few paragraphs of text to the security
> docs explaining why the monitor is a privileged interface and making
> a recommendation to only use the UNIX socket character device backend.
> 
> Reviewed-by: Alex Bennée <address@hidden>
> Reviewed-by: Markus Armbruster <address@hidden>
> Reviewed-by: Prasad J Pandit <address@hidden>
> Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
> Signed-off-by: Daniel P. Berrangé <address@hidden>
> ---
> 
> Changed in v3:
> 
>  - More copy editing from review feedback (Markus, PJP, Alex)
> 
> Changed in v2:
> 
>  - Addressed misc typos (Eric / Philippe)
> 
>  docs/security.texi | 36 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 36 insertions(+)

Reviewed-by: Stefan Hajnoczi <address@hidden>

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v3] doc: document that the monitor console is a privileged control interface, Daniel P . Berrangé, 2019/07/05
- Re: [Qemu-devel] [PATCH v3] doc: document that the monitor console is a privileged control interface, Stefan Hajnoczi <=

Prev by Date: Re: [Qemu-devel] [Qemu-block] [PATCH v2 0/1] Don't obey the kernel block device max transfer len / max segments for raw block devices
Next by Date: Re: [Qemu-devel] [Qemu-block] [PATCH] Fix Guest VM crash due to iSCSI Sense Key error
Previous by thread: [Qemu-devel] [PATCH v3] doc: document that the monitor console is a privileged control interface
Next by thread: [Qemu-devel] [PATCH v3 0/9] hw/block/pflash_cfi01: Add DeviceReset() handler
Index(es):
- Date
- Thread