Qubes Security Bulletin #7

292 views
Skip to first unread message

Joanna Rutkowska

unread,
Jun 21, 2013, 6:09:24 AM6/21/13
to qubes...@googlegroups.com, qubes...@googlegroups.com
---===[ Qubes Security Bulletin #7 ]===---


Problem description
---------------------

Xen.org has announced a bunch of security advisories (XSA 52-54, XSA 57,
see [1]) affecting the Xen hypervisor, some of which apply to Qubes OS
Release 1 and Release 2 as well.

While the impact of the XSA 52-54 does not seem to be so problematic in
practice, the XSA 57 seems to allow for much more serious attacks, and
so users are recommended to apply the patches as soon a possible.

Patching
----------

We have uploaded the patched Xen packages for Qubes Release 1 (version
4.1.5-1), as well as for the latest Qubes R2 Beta 2 (version 4.1.5-4).
In order to update your system use the following command from Dom0 console:

sudo qubes-dom0-updates

A system restart will be required afterwards.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR14 will change because of a new
xen.gz binary.


Discussion
------------

This is not the first time when the overly-complex permission system
strikes back and causes more harm than good. Xen has also some history
of bugs in their XSM infrastructure, another form of (unnecessary?)
permission system framework. The very xenstore permission system also
tricked us (Qubes Developers) in the past as seen in this commit:

http://git.qubes-os.org/?p=joanna/core-admin.git;a=commitdiff;h=59f71f634af596c8fe2ef507509bf1ae850286c7

Such vulnerabilities serve as an example of how we cannot forget about
keeping things simple, also when designing security mechanisms.

The XSA 52-54 patches could not be easily applied to Xen 4.1.2, which
has been used in Qubes R1 and R2 so far, and thus we had to upgrade to
Xen 4.1.5 in both cases.


References
------------

[1] http://wiki.xen.org/wiki/Security_Announcements

Thanks,
joanna.

--
The Qubes Security Team
http://wiki.qubes-os.org/trac/wiki/SecurityPage


signature.asc

Qubes Fan

unread,
Jun 21, 2013, 6:17:01 AM6/21/13
to qubes...@googlegroups.com, qubes...@googlegroups.com
On Friday, June 21, 2013 3:09:24 AM UTC-7, Joanna Rutkowska wrote:
In order to update your system use the following command from Dom0 console:

sudo qubes-dom0-updates

Same typo as in the previous bulletin, I think. Should be 'sudo qubes-dom0-update'. No 's'.

Joanna Rutkowska

unread,
Jun 21, 2013, 6:18:46 AM6/21/13
to qubes...@googlegroups.com, Qubes Fan, qubes...@googlegroups.com
Yeah, right. One day I shall get it right ;)

j.

signature.asc

Franz

unread,
Jun 21, 2013, 7:43:43 AM6/21/13
to Joanna Rutkowska, qubes...@googlegroups.com, qubes...@googlegroups.com
Is there a command to know which version of Qubes my system is running? That is to understand if I can update it with the patch or I have to reinstall everything anew.
Best
Franz

Joanna Rutkowska

unread,
Jun 21, 2013, 7:46:15 AM6/21/13
to Franz, qubes...@googlegroups.com, qubes...@googlegroups.com
On 06/21/13 13:43, Franz wrote:
> Is there a command to know which version of Qubes my system is running?
> That is to understand if I can update it with the patch or I have to
> reinstall everything anew.

:)

cat /etc/qubs-release (in Dom0 console)

... or click About-> Qubes OS (in the Qubes Manager)


But, in any case, the update procedure (for both R1 and R2) should be
the same, right?

j.
signature.asc

pasca...@gmail.com

unread,
Jun 22, 2013, 7:17:28 AM6/22/13
to qubes...@googlegroups.com, qubes...@googlegroups.com
I upgraded to xen 4.1.5 and resuming from suspend does not seem to work anymore. I use R1 with a thinkpad t410 with intel graphics.

Joanna Rutkowska

unread,
Jun 22, 2013, 7:27:27 AM6/22/13
to qubes...@googlegroups.com, pasca...@gmail.com, qubes...@googlegroups.com
That's always sad to hear such reports, but there's not much we (The
Qubes Project) could do about it :/ The proper place to complain and get
help is the xen-devel mailing list.

But perhaps you might consider trying out Qubes R2 -- for this we have
at least several different Dom0 kernels to try, so chances are high one
of those would work for you... Really, even though the current R2
release is called "Beta", I would consider it much more stable than the
"old" R1...

joanna.

signature.asc

pasca...@gmail.com

unread,
Jun 22, 2013, 9:29:12 AM6/22/13
to qubes...@googlegroups.com, qubes...@googlegroups.com, pasca...@gmail.com
I was not complaining... I just tried your OS few days ago and adopted it quickly so I won't complain to you !
I first tried R2B2 but got the issues with the i915 driver so I couldn't install it. I found out it was a problem with kernel (not suprising...). From what I saw the 3.9.2 kernel should just work but I haven't had the time to create a new iso with this kernel.
Anyway thank you for your answer and this OS :)
R1 seems very stable to me. On linux there is a program called "stress", the only OS I've tried which survives from this tool with extreme parameters is Qubes, all the others crashed (even Debian or RedHat which are considered to be very stable). In fact the VM can crash in Qubes but not all the OS. Just my quick experience...

Joanna Rutkowska

unread,
Jun 23, 2013, 4:11:20 AM6/23/13
to qubes...@googlegroups.com, pasca...@gmail.com, qubes...@googlegroups.com
That's surely something to attribute to the Xen hypervisor.

joanna.

signature.asc
Reply all
Reply to author
Forward
0 new messages