-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Qubes Community,
We have just published Qubes Security Bulletin (QSB) #45: Insecure default Salt configuration. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #45 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-045-2018.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ ======================================================================== ---===[ Qubes Security Bulletin #45 ]===--- 2018-12-03 Insecure default Salt configuration Summary ======== In Qubes OS, one use of Salt (aka SaltStack) is to configure software installed in domUs (including TemplateVMs and AppVMs). [1] To protect dom0 from potentially compromised domUs, all complex processing is done in a DisposableVM. [2] Each target domU being configured gets a separate DisposableVM, which is given power to execute arbitrary commands (through the qubes.VMShell qrexec service) in that target domU. In the default configuration, each DisposableVM generated for this purpose is based on the same default DVM Template that is used for all other default DisposableVM actions (including the default "Disposable: Firefox" menu entry). This DVM Template has a red label and has networking enabled, which might suggest that it is not security-critical. However, if this default DVM Template were compromised (for example, by a web browser plugin the user had installed there [3]), then the next time Salt were used, it could also compromise all target domUs it were configuring. Although it is possible to use an alternative DVM Template for Salt, the option to do so has not been exposed through any command-line or graphical user interface. Vulnerable systems ================== To exploit this vulnerability, two conditions must be met: 1. The user must actively use Salt to configure software inside a domU. This does not happen by default; user intervention is required. Only domUs configured by Salt are affected. 2. The user must compromise the default DVM Template. (For example, the user might customize the DVM Template by installing an untrusted program in it, not realizing the security implications of doing so.) The issue affects only Qubes OS 4.0. In Qubes 3.2, Salt processing occurs in a temporary AppVM based on the default TemplateVM. Resolution ========== To fix this problem, we are implementing two changes: 1. Adding the "management_dispvm" VM property, which specifies the DVM Template that should be used for management, such as Salt configuration. TemplateBasedVMs inherit this property from their parent TemplateVMs. If the value is not set explicitly, the default is taken from the global "management_dispvm" property. The VM-specific property is set with the qvm-prefs command, while the global property is set with the qubes-prefs command. 2. Creating the "default-mgmt-dvm" DVM Template, which is hidden from the menu (to avoid accidental use), has networking disabled, and has a black label (the same as TemplateVMs). This VM is set as the global "management_dispvm". Patching ========= The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes OS 4.0: - qubes-core-dom0 version 4.0.36 - qubes-mgmt-salt-dom0-virtual-machines version 4.0.15 - qubes-mgmt-salt-admin-tools version 4.0.12 For Qubes OS 3.2: - No packages necessary, since 3.2 is not affected. (See above for details.) The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. Credits ======== The issue was reported by Demi M. Obenour <demioben...@gmail.com> References =========== [1] https://www.qubes-os.org/doc/salt/#configuring-a-vms-system-from-dom0 [2] https://github.com/QubesOS/qubes-issues/issues/1541#issuecomment-187482786 [3] https://www.qubes-os.org/doc/dispvm-customization/ - -- The Qubes Security Team https://www.qubes-os.org/security/ ======================================================================== This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2018/12/03/qsb-45/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlwGEq0ACgkQ203TvDlQ MDDZLQ/9E/Hyg6/v7GoOyYy+sKZ+zsYQxL7XsQt6mLBK1EUJocEdE+HfyKq782Ic 2H2jCpd+MgeuLQFOX/EHGfIreQeKSS5eW6yCrurGYSph8DZYi7k3TFPLT7PXaJ/U m9ZLavpaq3hP+rNPJQNiNG5W4g3L5aKx9hX45GDrfNIrwtTxHi0QYGbtl/BKKZxT BXENJ/gtLWj2z4LAPJMtQamTFyMC7wxsHfDfdpW+gr1xxsd6aHaKgN6DTyHfzqJC 70MZdvYmcRWaKrPdZDE1fQYu/JuqKVGAR+inr8/9h7APVJb3+lmSLiYYWkg1Cz2Z uxgLHb/Rh6lULXcZVQ/be0IusBieys+DUz5Dhf9awSa0bg82wpx77aDUIr9aHgrv ukoNSCUbpI5madMwyfKeCN03PICafYfdHq4mW/qTWO5Ybsl0DYmjQD96eKn4HneY 7R3QabCxsUGgeUZo538mgs2ItUnufZRi6YKWiVUyXP2Ekt2PGBsZUVrtTqr8ftZn ivZ9nqDhG7jLU31cw1exYpQS+ZdjjFapcXqWuTLcaRra8G4BIQm/qP0rZgwWbpcY pc5gAfsCJna5TX7X0kS+VQRLgxSwDcVbhdaGJEt9nqsm0tj88eC0HYVZg7vpiHtP f43TY/7MJs0u9tu7lQY/rKJhNYmwNOQ6iVoTXgYd2fbi/d8ixRM= =C5Tr -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9e194e5c-f08b-72c4-6c97-69d79edfcd4a%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.