Bug 1062563 - (CVE-2017-1CVE-000256) VUL-0: CVE-2017-1000256: libvirt: QEMU TLS clients have x509 certificate verification disabled
(CVE-2017-1CVE-000256)
VUL-0: CVE-2017-1000256: libvirt: QEMU TLS clients have x509 certificate veri...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/193096/
CVSSv3:RedHat:CVE-2017-1000256:3.7:(A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-10 13:34 UTC by Marcus Meissner
Modified: 2017-10-27 22:37 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Marcus Meissner 2017-10-12 11:47:06 UTC
CRD: 2017-10-16 12:00 UTC
Comment 5 James Fehlig 2017-10-16 23:40:12 UTC
The issue is public and fix committed to libvirt.git

https://libvirt.org/git/?p=libvirt.git;a=commit;h=441d3eb6d1be940a67ce45a286602a967601b157

I've backported the patch to the SLE12 SP3 libvirt package and submitted req#144016. For Factory/SLE15, see req#534321.

AFAIK I'm done with this bug. Reassigning to security team...
Comment 7 Marcus Meissner 2017-10-17 05:55:04 UTC
 qemu: ensure TLS clients always verify the server certificate

The default_tls_x509_verify (and related) parameters in qemu.conf
control whether the QEMU TLS servers request & verify certificates
from clients. This works as a simple access control system for
servers by requiring the CA to issue certs to permitted clients.
This use of client certificates is disabled by default, since it
requires extra work to issue client certificates.

Unfortunately the code was using this configuration parameter when
setting up both TLS clients and servers in QEMU. The result was that
TLS clients for character devices and disk devices had verification
turned off, meaning they would ignore errors while validating the
server certificate.

This allows for trivial MITM attacks between client and server,
as any certificate returned by the attacker will be accepted by
the client.

This is assigned CVE-2017-1000256  / LSN-2017-0002

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Comment 9 Bernhard Wiedemann 2017-10-17 16:02:02 UTC
This is an autogenerated message for OBS integration:
This bug (1062563) was mentioned in
https://build.opensuse.org/request/show/534485 Factory / libvirt
Comment 10 Swamp Workflow Management 2017-10-25 16:09:54 UTC
SUSE-SU-2017:2850-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1062563,1062620
CVE References: CVE-2017-1000256
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libvirt-3.3.0-5.8.1
SUSE Linux Enterprise Server 12-SP3 (src):    libvirt-3.3.0-5.8.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libvirt-3.3.0-5.8.1
Comment 11 Andreas Stieger 2017-10-27 18:48:51 UTC
Release for Leap 42.3, done
Comment 12 Swamp Workflow Management 2017-10-27 22:11:24 UTC
openSUSE-SU-2017:2878-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1062563,1062620
CVE References: CVE-2017-1000256
Sources used:
openSUSE Leap 42.3 (src):    libvirt-3.3.0-9.1