[qubes-devel] QSB-066: XML injection through libvirt domain configuration
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) 066: XML injection through libvirt domain configuration. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB-066 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-066-2021.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ ``` ---===[ Qubes Security Bulletin 066 ]===--- 2021-03-03 XML injection through libvirt domain configuration User action required = Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0: - qubes-core-dom0 package, version 4.0.58-1 For Qubes 4.1: - qubes-core-dom0 package, version 4.1.20-1 The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. Alternatively, it is possible to restart qubesd with the following command in dom0: $ systemctl restart qubesd.service These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. Summary The libvirt domain configuration is an XML file built by filling a template with values specific to a particular domain -- mostly its properties but, in a few cases, "features" (extra properties that can be freely defined). While most of the properties have strictly-defined formats, some allow for a very broad range of values -- broad enough to allow characters that are otherwise special in XML. Using such characters in XML values requires escaping them, which was not enabled in the template engine we use (jinja2). The specific VM metadata properties that allow free text and are used in libvirt XML are as follows: - `kernelopts` property - `timezone` feature (although it is validated in the template itself) - `video-model` feature - `audio-model` feature (Qubes R4.1 only) Normally, this wouldn't be an issue, since all VM settings come from a trusted entity (dom0). However, with the introduction of the Admin API [1] in Qubes 4.0, it is possible to allow less trusted domains (known as "ManagementVMs") to manage a subset of VMs or their settings, including the affected properties and features. This, in turn, can be used to modify unintended parts of the libvirt XML. In the worst case, this could lead to code execution in dom0. To fix the issue, we're enabling the autoescape feature of the jinja2 template engine. This will cover the current problematic properties as well as any others that might be introduced in the future. Additionally, we're adding an extra validation step for "features" that are otherwise used in a free text form context (specifically, `net.fake-*` features are expected to be IP addresses, but they lacked such validation). Note that a ManagementVM can still break a VM it has control over, for example, by setting some property to an improper value in a given context (e.g., too little memory or too short of a startup timeout). However, after these changes, it should no longer be able to escalate its permissions beyond what it has been assigned. Impact === Default Qubes 4.0 and 4.1 configurations are not affected. If a less trusted domain (known as a "ManagementVM") is given Admin API access to set any of the affected properties or features on any domain (via the `admin.vm.property.Set` or `admin.vm.feature.Set` qrexec services), it may use this access to elevate its privileges and potentially take full control of the system. Note that `qubes.FeaturesRequest` is enabled by default but *is not* vulnerable for three reasons. First, feature names are read from qubesd, which enforces a whitelist of permitted characters in paths. None of the permitted characters are metacharacters in XML. Second, none of the features for which dom0 will honor a request have their values incorporated into libvirt XML. Third, `qubes.FeaturesRequest` can only unset a feature or set its value to `1`. Credits This issue was discovered by Demi Marie Obenour. References === [1] https://www.qubes-os.org/doc/admin-api/ -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/03/03/qsb-066/ -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To
Re: [qubes-devel] Xen exploit mitigations
Op woensdag 3 maart 2021 om 04:47:51 UTC+1 schreef marm...@invisiblethingslab.com: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Tue, Mar 02, 2021 at 11:17:54AM -0800, Scumbag wrote: > > > > I asked this before on Qubes > > forum(https://qubes-os.discourse.group/t/xen-exploit-migitations/2469), > but > > there were no replies so I'm hoping I'll get replies here: > > > > I saw in the Xen 4.14 release notes that Xen now supports hardware based > > Control-flow Enforcement Technology (CET) which has been introduced into > > Intels Tiger Lake and AMDs Zen3 CPUs. > > - Does Qubes support this as well? > > Yes, we do have this enabled in Qubes 4.1. > > > - And does Xen also have a softwarebased CFI? > > Not that I'm aware of. > > > - Does Xen also support ASLR now? Some years ago I read a post from > Qubes > > saying that Xen didn’t have many exploit migitations and didn’t even > > support ASLR. > > Indeed Xen doesn't have ASLR and won't have anytime soon (PV must die > first, at the very least). But it does use some other mitigations like > SMAP/SMEP. And also some of the more complex parts like instruction > emulator are integrated with fuzzy testing. > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > -BEGIN PGP SIGNATURE- > > iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmA/Bt4ACgkQ24/THMrX > 1yye8AgAgO7t/Sr4IbK7zD40T9ArO/cesRkgwnRM36pD4NQDXaW8UvMENJt+6yK2 > HrEVOelnH9po5NF7vPf6od2wf1ndIWCouNKRIq4qeQ1DwaiaUqbL6GLKYkBOjEPg > 1qSoHCg2UAMYg6lxrqM6pHneeTAUCnlYY15SdNv6aEJeP+ufjbpZD8HK4fA+W80S > TRvhMmoK1i2Cf5rsKDgiNiPjm5tZCsvcVwwPaKBvLSyEIceYoBstJQ9mfhlBR+dp > N5LtDFt7LZYaVHwrNClvOr1oHFgaPuLQDQeOs2bVM/vdrgTMUZQO72m4Gkm2+hi3 > MZ6PTdX/OsrEHK47g3lTxmF4zwAsCA== > =7enJ > -END PGP SIGNATURE- > Thank you for explaining Marek! -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/97bdfdde-335c-403a-b0cf-6b9ae4009bden%40googlegroups.com.
Re: [qubes-devel] Re: Announcement: Fedora 33 TemplateVMs available
On 3/3/21 7:51 AM, Andrew David Wong wrote: On 3/1/21 6:15 AM, Mike Keehan wrote: On 2/27/21 6:59 PM, Andrew David Wong wrote: On 2/26/21 1:22 PM, Andrew David Wong wrote: Dear Qubes Community, New Fedora 33 TemplateVMs are now available for both Qubes 4.0 and 4.1. *Important:* If you wish to use the Qubes Update widget to update a Fedora 33 template, you must first switch [1] the `default-mgmt-dvm` qube to a Fedora 33 template. (Alternatively, you can create a separate management DisposableVM Template based on a Fedora 33 template for the purpose of updating Fedora 33 templates.) This does not affect updating internally using `dnf`. Instructions are available for upgrading Fedora TemplateVMs [2]. We also provide fresh Fedora 33 TemplateVM packages through the official Qubes repositories, which you can get with the following commands (in dom0). Standard [3] Fedora 33 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-33 Minimal [4] Fedora 33 TemplateVM: $ sudo qubes-dom0-update qubes-template-fedora-33-minimal After installing or upgrading a TemplateVM, please remember to update [5] (see important note above) and switch all qubes that were using the old template to use the new one [1]. [1] https://www.qubes-os.org/doc/templates/#switching [2] https://www.qubes-os.org/doc/template/fedora/upgrade/ [3] https://www.qubes-os.org/doc/templates/fedora/ [4] https://www.qubes-os.org/doc/templates/minimal/ [5] https://www.qubes-os.org/doc/software-update-domu/ This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/02/25/fedora-33-templates-available/ *Addendum:* Fedora 33 has switched the default DNS resolver to systemd-resolved [1]. If resolving local domains on your LAN does not work as expected even when specifying the full name, you may wish to disable systemd-resolved and enable NetworkManager in the TemplateVM instead. For more on this, please see issue #6431 [2]. For a complete list of changes in Fedora 33, please see the official Fedora 33 release notes [3], and for a more general overview, the official Fedora 33 announcement [4]. [1] https://fedoraproject.org/wiki/Changes/systemd-resolved [2] https://github.com/QubesOS/qubes-issues/issues/6431 [3] https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/ [4] https://fedoramagazine.org/announcing-fedora-33/ Hi Andrew, Disable it in sys-net's template, or in all Fedora templates? Mike. I'm just relaying what was discussed in #6431, but my understanding is that it would only be disabled in sys-net's template. I imagine you could start there and see if it works as expected. If it does, there's probably no need to disable it anywhere else. Hi Andrew, I found that disabling it in the AppVM template was required. (I should have asked on the user list, sorry!) Mike. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/11b0b4ae-c677-0d2e-17af-ce6c9840fabf%40keehan.net.