[Qemu-devel] [Bug 1828207] [NEW] Request to add something like "Auth failed from IP" log report for built-in VNC server

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [Bug 1828207] [NEW] Request to add something like "Auth failed from IP" log report for built-in VNC server
@ 2019-05-08 10:11 Druta Pavel via Qemu-devel
  2019-05-08 13:08 ` [Qemu-devel] [Bug 1828207] " Daniel Berrange
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Druta Pavel via Qemu-devel @ 2019-05-08 10:11 UTC (permalink / raw)
  To: qemu-devel; +Cc: Druta Pavel

Public bug reported:

In environment with needs of public accessible VNC ports there is no logs or other registered events about authentication failures to analyze and/or integrate it to automated services like fail2ban ans so on.
Thus the built-in VNC service is vulnerable to brutforce attacks and in combination with weak built-in VNC-auth scheme can be a security vulnerability.

Adding a simple log record like "QEMU VNC Authentication failed
192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate
it to fail2ban system.

** Affects: qemu
     Importance: Undecided
         Status: New

** Tags: feature-request

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1828207

Title:
  Request to add something like "Auth failed from IP" log report for
  built-in VNC server

Status in QEMU:
  New

Bug description:
  In environment with needs of public accessible VNC ports there is no logs or other registered events about authentication failures to analyze and/or integrate it to automated services like fail2ban ans so on.
  Thus the built-in VNC service is vulnerable to brutforce attacks and in combination with weak built-in VNC-auth scheme can be a security vulnerability.

  Adding a simple log record like "QEMU VNC Authentication failed
  192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate
  it to fail2ban system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1828207/+subscriptions

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Qemu-devel] [Bug 1828207] Re: Request to add something like "Auth failed from IP" log report for built-in VNC server
  2019-05-08 10:11 [Qemu-devel] [Bug 1828207] [NEW] Request to add something like "Auth failed from IP" log report for built-in VNC server Druta Pavel via Qemu-devel
@ 2019-05-08 13:08 ` Daniel Berrange
  2019-05-08 13:33   ` Peter Maydell
  2019-05-08 13:42 ` Daniel Berrange
  2021-05-05 11:28 ` Thomas Huth
  2 siblings, 1 reply; 6+ messages in thread
From: Daniel Berrange @ 2019-05-08 13:08 UTC (permalink / raw)
  To: qemu-devel

Note that any use of the built-in VNC-auth scheme is always considered a
security flaw. It should essentially never be used, especially not on
any public internet facing service, even if fail2ban were able to be
used.

A secure VNC server should use the VeNCrypt extension which enables TLS,
with optional client certificate validation as an auth mechanism.  Once
you have TLS enabled, you can also then enable the SASL auth mechanism
to further authenticate clients using Kerberos or PAM, or other SASL
plugins.

That's not to say we shouldn't emit a log message, suitable for
consuming from fail2ban, as remote clients can still trigger a CPU
denial of service by repeatedly connecting even if they ultimately
always fail authentication.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1828207

Title:
  Request to add something like "Auth failed from IP" log report for
  built-in VNC server

Status in QEMU:
  New

Bug description:
  In environment with needs of public accessible VNC ports there is no logs or other registered events about authentication failures to analyze and/or integrate it to automated services like fail2ban ans so on.
  Thus the built-in VNC service is vulnerable to brutforce attacks and in combination with weak built-in VNC-auth scheme can be a security vulnerability.

  Adding a simple log record like "QEMU VNC Authentication failed
  192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate
  it to fail2ban system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1828207/+subscriptions

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [Bug 1828207] Re: Request to add something like "Auth failed from IP" log report for built-in VNC server
  2019-05-08 13:08 ` [Qemu-devel] [Bug 1828207] " Daniel Berrange
@ 2019-05-08 13:33   ` Peter Maydell
  2019-05-08 13:33     ` Peter Maydell
  0 siblings, 1 reply; 6+ messages in thread
From: Peter Maydell @ 2019-05-08 13:33 UTC (permalink / raw)
  To: Bug 1828207; +Cc: QEMU Developers

On Wed, 8 May 2019 at 14:23, Daniel Berrange <1828207@bugs.launchpad.net> wrote:
>
> Note that any use of the built-in VNC-auth scheme is always considered a
> security flaw. It should essentially never be used, especially not on
> any public internet facing service, even if fail2ban were able to be
> used.

Should we deprecate-and-remove the feature, then ?

thanks
-- PMM


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [Bug 1828207] Re: Request to add something like "Auth failed from IP" log report for built-in VNC server
  2019-05-08 13:33   ` Peter Maydell
@ 2019-05-08 13:33     ` Peter Maydell
  0 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2019-05-08 13:33 UTC (permalink / raw)
  To: qemu-devel

On Wed, 8 May 2019 at 14:23, Daniel Berrange <1828207@bugs.launchpad.net> wrote:
>
> Note that any use of the built-in VNC-auth scheme is always considered a
> security flaw. It should essentially never be used, especially not on
> any public internet facing service, even if fail2ban were able to be
> used.

Should we deprecate-and-remove the feature, then ?

thanks
-- PMM

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1828207

Title:
  Request to add something like "Auth failed from IP" log report for
  built-in VNC server

Status in QEMU:
  New

Bug description:
  In environment with needs of public accessible VNC ports there is no logs or other registered events about authentication failures to analyze and/or integrate it to automated services like fail2ban ans so on.
  Thus the built-in VNC service is vulnerable to brutforce attacks and in combination with weak built-in VNC-auth scheme can be a security vulnerability.

  Adding a simple log record like "QEMU VNC Authentication failed
  192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate
  it to fail2ban system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1828207/+subscriptions

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Qemu-devel] [Bug 1828207] Re: Request to add something like "Auth failed from IP" log report for built-in VNC server
  2019-05-08 10:11 [Qemu-devel] [Bug 1828207] [NEW] Request to add something like "Auth failed from IP" log report for built-in VNC server Druta Pavel via Qemu-devel
  2019-05-08 13:08 ` [Qemu-devel] [Bug 1828207] " Daniel Berrange
@ 2019-05-08 13:42 ` Daniel Berrange
  2021-05-05 11:28 ` Thomas Huth
  2 siblings, 0 replies; 6+ messages in thread
From: Daniel Berrange @ 2019-05-08 13:42 UTC (permalink / raw)
  To: qemu-devel

The challenge is that this is the only auth scheme defined by the VNC protocol, aside from no-auth.
If we removed it, we'd no longer be compatible with the standard VNC protocol. We'd be making use of the TLS/SASL extensions mandatory if users want auth. This could ultimately push people to turn off auth altogether which is even worse.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1828207

Title:
  Request to add something like "Auth failed from IP" log report for
  built-in VNC server

Status in QEMU:
  New

Bug description:
  In environment with needs of public accessible VNC ports there is no logs or other registered events about authentication failures to analyze and/or integrate it to automated services like fail2ban ans so on.
  Thus the built-in VNC service is vulnerable to brutforce attacks and in combination with weak built-in VNC-auth scheme can be a security vulnerability.

  Adding a simple log record like "QEMU VNC Authentication failed
  192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate
  it to fail2ban system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1828207/+subscriptions

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 1828207] Re: Request to add something like "Auth failed from IP" log report for built-in VNC server
  2019-05-08 10:11 [Qemu-devel] [Bug 1828207] [NEW] Request to add something like "Auth failed from IP" log report for built-in VNC server Druta Pavel via Qemu-devel
  2019-05-08 13:08 ` [Qemu-devel] [Bug 1828207] " Daniel Berrange
  2019-05-08 13:42 ` Daniel Berrange
@ 2021-05-05 11:28 ` Thomas Huth
  2 siblings, 0 replies; 6+ messages in thread
From: Thomas Huth @ 2021-05-05 11:28 UTC (permalink / raw)
  To: qemu-devel

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/170

** Changed in: qemu
       Status: New => Expired

** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #170
   https://gitlab.com/qemu-project/qemu/-/issues/170

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1828207

Title:
  Request to add something like "Auth failed from IP" log report for
  built-in VNC server

Status in QEMU:
  Expired

Bug description:
  In environment with needs of public accessible VNC ports there is no logs or other registered events about authentication failures to analyze and/or integrate it to automated services like fail2ban ans so on.
  Thus the built-in VNC service is vulnerable to brutforce attacks and in combination with weak built-in VNC-auth scheme can be a security vulnerability.

  Adding a simple log record like "QEMU VNC Authentication failed
  192.168.0.5:5902 - 123.45.67.89:7898" will permit to quickly integrate
  it to fail2ban system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1828207/+subscriptions

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-05-05 11:44 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-08 10:11 [Qemu-devel] [Bug 1828207] [NEW] Request to add something like "Auth failed from IP" log report for built-in VNC server Druta Pavel via Qemu-devel
2019-05-08 13:08 ` [Qemu-devel] [Bug 1828207] " Daniel Berrange
2019-05-08 13:33   ` Peter Maydell
2019-05-08 13:33     ` Peter Maydell
2019-05-08 13:42 ` Daniel Berrange
2021-05-05 11:28 ` Thomas Huth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).