[Pkg-libvirt-maintainers] Bug#909389: virt-inst --location security concern
Simon Josefsson
simon at josefsson.org
Sat Sep 22 21:51:36 BST 2018
Package: virtinst
Version: 1:1.4.0-5
I rediscovered a problem I found a couple of years ago, and thought I'd
report it properly this time.
The problem is that "virt-install --location" does not verify
checksums/signatures of what is downloaded, and is thus vulnerable to a
network attack where someone replaces the kernel/initrd with a version
that is malicious. As far as I know, there is no way to tell virt-
install what checksums to expect.
See earlier discussion here: https://www.redhat.com/archives/virt-tools
-list/2015-April/msg00214.html
Quoting the manpage which gives http-URLs to use:
--location OPTIONS
...
Debian
http://ftp.us.debian.org/debian/dists/stable/main/instal
ler-amd64/
Ubuntu
http://us.archive.ubuntu.com/ubuntu/dists/wily/main/inst
aller-amd64/
A workaround is to replace the recommended http URLs with https URLs.
I checked that CA verification of the domain name works. This gives
some protection, but far from a GnuPG-based verification that would be
ideal.
Run this command to see what is happening:
virt-install --name foo --memory 500 --disk none --location http://deb.
debian.org/debian/dists/stable/main/installer-amd64/ --noautoconsole --
debug
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20180922/03e7297f/attachment.sig>
More information about the Pkg-libvirt-maintainers
mailing list