The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of QEMU, Linux KVM: truncation of VNC password

Synthesis of the vulnerability 

When the user changes the VNC password via the QEMU console or Linux Kernel-Based Virtual Machine, it is truncated to 7 characters.
Impacted systems: Debian, Mandriva Linux, NLD, OES, openSUSE, SLES, Unix (platform) ~ not comprehensive.
Severity of this alert: 2/4.
Creation date: 30/12/2008.
Références of this alert: BID-33020, CVE-2008-5714, DSA-1907-1, MDVSA-2009:008, MDVSA-2009:009, MDVSA-2009:010, SUSE-SR:2009:002, SUSE-SR:2009:008, VIGILANCE-VUL-8363.

Description of the vulnerability 

The QEMU emulator implements VNC for remote administration. Linux Kernel-Based Virtual Machine contains a copy of QEMU source code.

The do_change_vnc() function of monitor.c changes the VNC password. The monitor_readline() function reads the new password. However, this function is called with a limit size of 8 (instead of 9), which means 7 characters plus the last '\0'.

When the user changes the VNC password via the QEMU console or Linux Kernel-Based Virtual Machine, it is thus truncated to 7 characters. A brute force attack is therefore easier.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness alert impacts software or systems such as Debian, Mandriva Linux, NLD, OES, openSUSE, SLES, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this weakness bulletin.

Solutions for this threat 

QEMU, Linux KVM: patch for VNC.
A patch is available in information sources.

Debian: new kvm packages.
New packages are available:
  http://security.debian.org/pool/updates/main/k/kvm/kvm_72+dfsg-5~lenny3_*.deb

Mandriva: new kvm packages.
New packages are available:
 Mandriva Linux 2009.0:
 acdff9c09970bba49f5b500723092f2b 2009.0/i586/kvm-74-3.1mdv2009.0.i586.rpm
 8ee1433de23a7fec8bc768a66585368c 2009.0/SRPMS/kvm-74-3.1mdv2009.0.src.rpm
 Mandriva Linux 2009.0/X86_64:
 b84f9ff6c8005e7de6996b3e1f04335d 2009.0/x86_64/kvm-74-3.1mdv2009.0.x86_64.rpm
 8ee1433de23a7fec8bc768a66585368c 2009.0/SRPMS/kvm-74-3.1mdv2009.0.src.rpm

Mandriva: new qemu packages.
New packages are available:
 Mandriva Linux 2008.0: qemu-0.9.0-16.3mdv2008.0
 Mandriva Linux 2008.1: qemu-0.9.0-18.3mdv2008.1
 Mandriva Linux 2009.0: qemu-0.9.1-0.r5137.1.1mdv2009.0

SUSE: new imlib2, valgrind, kvm, cups, lynx, xterm packages.
New packages are available.

SUSE: new multipath-tools, bluez, xntp, apache-mod_php4, apache2-mod_php5, struts, qemu, libsndfile, phpMyAdmin packages.
New packages are available.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security database. The Vigil@nce vulnerability database contains several thousand vulnerabilities.