On Sunday, January 28, 2018 at 12:24:08 PM UTC-8, Vít Šesták wrote: > On January 27, 2018 7:57:02 AM GMT+01:00, Dave C wrote: > >* VMs that can't access the conference site (i.e. bluejeans.com) or > >can't access the net at all > > How can a VM without network access open a window in the X11 accessible from > network?
Indeed, I stand corrected. This point could apply to a restrictive firewall, but the VM would need to network with the local VM running vncserver. [snip] > > >My approach lowers security while screensharing. But the rest of the > >time, not screensharing, the VMs are running with normal firewall > >settings. > > It is likely that a VM can infect any other of the VMs (or the screensharing > VM). There are multiple potential ways to do so: > > a. Exploit some vulnerability in X11 protocol implementation. > b. Open a terminal (if not already opened) and type a command. This is > possible, because any client can inject any input events to other client. I can imagine opening a terminal in the VM running vncserver and the window manager. Could attacker open a terminal in other vm that has opened some application in that display? (Application that is not a terminal, I mean. I do see how an attacker could use any application shown in the display.) > c. Download some file using webbrowser and run/install it (e.g., using some > packaging system). > d. I remember I have read that X11 effectively provides no isolation between > apps and I had an impression that any app can by design even run some code in > another client. However, don't take this point as verified unless you verify > it from some other source. You make some great points. Thanks. I'm re-thinking my approach. -Dave > > Regards, > Vít Šesták 'v6ak' > > General note: Maybe top-posting is bad. However, quoting whole message > (including quotes of quotes and quotes of quotes of quotes etc.) before your > message is even worse. Please don't let others scroll extensively. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/777001bc-545b-419f-ab74-c1b160e1b48a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
