qubes-mirage-firewall is an alternative to Qubes's default Linux-based sys-firewall, written mostly in OCaml. The MirageOS security team today published MirageOS Security Announcement 02, describing a grant unshare vulnerability in mirage-xen versions before 3.3.0:
https://mirage.io/blog/MSA02 The current release of qubes-mirage-firewall (v0.5, released 2019-04-04) already has the fixes, but if you are using an older release then you should upgrade (see https://github.com/mirage/qubes-mirage-firewall for instructions). The vulnerability means that older versions of the firewall could be attacked by a compromised sys-net domain. An attempted attack (on old or new versions of the firewall) will result in the message "WARNING: g.e. still in use!" appearing in the firewall's logs. You can check for this message from dom0 with: [dom0]$ grep 'still in use' /var/log/xen/console/guest-mirage-firewall.* This command should produce no results. I found the bug while reviewing some of the Mirage code, so I would not expect anyone to find anything this way. The vulnerability cannot be exploited directly over the Internet (you have to compromise sys-net first). It also cannot be exploited from the firewall's client AppVMs (only from sys-net). A successful attack allows sys-net to retain access to pages of the firewall's memory after the firewall thinks that it has revoked access. It's not clear exactly what sys-net could do with that, but upgrading is strongly recommended! >From https://github.com/mirage/qubes-mirage-firewall/issues/57 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f0053529-c6fa-43e4-bba4-c8f03fe8e88e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
