← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #81301

[Bug 1840869] Re: VNC Server Unauthenticated Access

  Thread PreviousDate PreviousThread Next 
You mean the VNC server(s) that are created on the compute hosts for
their instances? Those are not supposed to be publically accessible.
Access to those is done via the consoles API [1] which provides an
authentication token to the client. The client the connects to the
publically-facing console proxy [2], which verifies the token, and
proxies the connection to the compute host. When using this mechanism,
the VNC server itself does not need authentication.

[1] https://docs.openstack.org/api-ref/compute/?expanded=get-vnc-
console-os-getvncconsole-action-deprecated-detail,show-console-
connection-information-detail#server-consoles

[2] https://docs.openstack.org/nova/latest/admin/remote-console-
access.html

** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1840869

Title:
  VNC Server Unauthenticated Access

Status in OpenStack Compute (nova):
  Invalid

Bug description:
  When nova boot a server with VNC enabled, it does not require
  authentication if an attacker trys to connect to the remote host
  directly from management network. The VNC server sometimes sends the
  connected user to the XDM login screen.

  A warning from Nessus report:

  VNC Server Unauthenticated Access

  Synopsis

  The remote VNC server does not require authentication.

  Description
  The VNC server installed on the remote host allows an attacker to connect to the remote host as no authentication is required to access this service.     

  The VNC server sometimes sends the connected user to the XDM login
  screen. Unfortunately, Nessus cannot identify this situation. In such
  a case, it is not possible to go further without valid credentials and
  this alert may be ignored.

  Solution
  Disable the No Authentication security type.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1840869/+subscriptions

References

  Thread PreviousDate PreviousThread Next