Mailinglist Archive: opensuse-factory (396 mails)

[Josef Reidinger <jreidinger@xxxxxxx>]

C write:
> On Thu, Jan 20, 2011 at 09:21, Michal Šebeň wrote:
> > hi folks,
> >
> > as you might know, since virtualbox 4.0.0 "usb guest support" feature
> > is now open source code,
> > but during tests i found the problem : virtualbox needs full access to
> > usb nodes, which of course, could lead to serious security problem
> > (see bnc#664520 for details) - this means that (currently) virtualbox
> > (provided by suse) doesn't have usb guest support enabled, by default
>
> So went to read the bug report.
> https://bugzilla.novell.com/show_bug.cgi?id=664520
>
> Have I got this right? .... this "security hole" could allow someone
> who already has full user rights on the OS to access information that
> he or she essentially already has rights and access to?
>
> That seems like a real non-issue to me... like the Linux exploits that
> gives someone with root access a way to get root access...
>
> Under what conditions would this USB access be a risk?
>
> C.

If I understand that bug correctly, then problem is that VBox has full right to 
access usb ports. So if you run virtual machine and someone use any security 
hole in Virtual box, then he can with permissions of virtual box sniff e.g. USB 
keyboard, mouse etc. So problem is that someone who doesn't have full user 
rights (just vboxuser right) can sniff USB devices and also send output there 
(consider what you can put to USB).
Just my 2c.
Josef

-- 
Josef Reidinger
Appliance Toolkit team
maintainer of perl-Bootloader, yast2-bootloader and parts of webyast and SLMS
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx