Vigil@nce: qemu-kvm, access via VNC
January 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the password of qemu-kvm 0.10.6 is empty, an attacker can connect to VNC.
Creation date: 11/01/2011
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The qemu-kvm product is a special version of qemu supporting hardware virtualization for Linux.
According to the documentation, when the VNC password is empty, the authentication is enabled (VNC_AUTH_VNC), but every trial is rejected.
In version 0.10.6, the vnc_display_password() function was modified (VNC_AUTH_NONE). Thus, when the VNC password is empty, every access is allowed.
When the password of qemu-kvm 0.10.6 is empty, an attacker can therefore connect to VNC.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN