USN-1063-1: QEMU vulnerability

14 February 2011

Blank passwords allowed unrestricted QEMU VNC session access.

Releases

Packages

  • qemu-kvm - Full virtualization on i386 and amd64 hardware

Details

Neil Wilson discovered that if VNC passwords were blank in QEMU
configurations, access to VNC sessions was allowed without a password
instead of being disabled. A remote attacker could connect to running
VNC sessions of QEMU and directly control the system. By default, QEMU
does not start VNC sessions.

References