Salt worm
122 views
Skip to first unread message
tetra...@danwin1210.me
May 6, 2020, 1:56:34 AM5/6/20
to qubes...@googlegroups.com
haaber
May 6, 2020, 4:41:05 AM5/6/20
to qubes...@googlegroups.com
Risk = (probability of an event) x (consequences of the event).
At which levels is salt used in qubes? I remember my last "active" use
>1 year ago to get hopefully clean templates after the apt-"crisis".
But maybe is is "under the hood" at each qubes-dom0-update? If it were
to be used "by hand only" we could enforce risk = 0 by the above formula
and keeping fingers off salt for a while. Thanks!
At which levels is salt used in qubes? I remember my last "active" use
>1 year ago to get hopefully clean templates after the apt-"crisis".
But maybe is is "under the hood" at each qubes-dom0-update? If it were
to be used "by hand only" we could enforce risk = 0 by the above formula
and keeping fingers off salt for a while. Thanks!
dhorf-hfre...@hashmail.org
May 6, 2020, 5:11:02 AM5/6/20
to qubes...@googlegroups.com
sm1> Qubes uses Salt, and there's something nasty going around:
sm1> https://saltexploit.com/
sm2> to be used "by hand only" we could enforce risk = 0 by the above formula
sm2> and keeping fingers off salt for a while. Thanks!
sm3> There was today an update for all templates related to the salt. Doesn't
sm3> it include a patch?
did any of you actualy bother to look at the problem?
because i am 99% sure this doesnt apply to qubes. at all.
(also you are several days late on this...)
this seems to be the original source and contains a fairly
good writeup:
https://labs.f-secure.com/advisories/saltstack-authorization-bypass
sm1> https://saltexploit.com/
sm2> to be used "by hand only" we could enforce risk = 0 by the above formula
sm2> and keeping fingers off salt for a while. Thanks!
sm3> There was today an update for all templates related to the salt. Doesn't
sm3> it include a patch?
did any of you actualy bother to look at the problem?
because i am 99% sure this doesnt apply to qubes. at all.
(also you are several days late on this...)
this seems to be the original source and contains a fairly
good writeup:
https://labs.f-secure.com/advisories/saltstack-authorization-bypass
haaber
May 6, 2020, 6:02:59 AM5/6/20
to qubes...@googlegroups.com
> did any of you actually bother to look at the problem?
maybe "did never apply") to qubes? Recall my question: where does salt
appear "under the hood" in qubes? This question seems relevant, since at
least I (almost) never invoke salt by hand. Is that not a reasonable
question? Explain.
> because i am 99% sure this doesnt apply to qubes. at all.
> (also you are several days late on this...)
>
> this seems to be the original source and contains a fairly
> good writeup:
>
> https://labs.f-secure.com/advisories/saltstack-authorization-bypass
Thanks for the source. How do you infer that this "doesn't apply" (and
> (also you are several days late on this...)
>
> this seems to be the original source and contains a fairly
> good writeup:
>
> https://labs.f-secure.com/advisories/saltstack-authorization-bypass
maybe "did never apply") to qubes? Recall my question: where does salt
appear "under the hood" in qubes? This question seems relevant, since at
least I (almost) never invoke salt by hand. Is that not a reasonable
question? Explain.
dhorf-hfre...@hashmail.org
May 6, 2020, 7:35:14 AM5/6/20
to haaber, qubes...@googlegroups.com
On Wed, May 06, 2020 at 12:02:55PM +0200, haaber wrote:
> > https://labs.f-secure.com/advisories/saltstack-authorization-bypass
> Thanks for the source. How do you infer that this "doesn't apply" (and
> maybe "did never apply") to qubes? Recall my question: where does salt
the vulnerabilities are both in some networked-zeroMQ cloud-management
> > https://labs.f-secure.com/advisories/saltstack-authorization-bypass
> Thanks for the source. How do you infer that this "doesn't apply" (and
> maybe "did never apply") to qubes? Recall my question: where does salt
component. which qubes is most certainly not using.
> appear "under the hood" in qubes? This question seems relevant, since at
> least I (almost) never invoke salt by hand. Is that not a reasonable
> question? Explain.
... if you run qubesctl things to manage service vms.
it all stays either within a vm or uses qrexec where needed.
if you want to take a look, check /srv/ for the salt parts
and /usr/lib/python*/*/qubessalt/ for the qubesctl parts.
unman
May 6, 2020, 9:17:20 AM5/6/20
to qubes...@googlegroups.com
qui-updates tool.
Salt is used to provision the qubes at initial install - I'd also argue
that you *should* use salt to set up and control your templates and
qubes, since it allows you to rebuild your system automatically. No more
trying to remember what packages you installed in a template, or how you
set up a particular qube.
To expand on what has been said, in a normal salt setup, there is
a server (master) and assorted minions - the minions sit on other
networked devices.
This vulnerability affects authentication on the server and allows for
complete control over the server, and therefore control of all minions
controlled by it. It's a huge security flaw.
Of course, one might wonder what sort of security is in place where the
control and command server is connected to the wider internet, as the
advisory suggests.
In Qubes, by default, there is one minion, in dom0, which isn't
networked. So there is no scope for this vulnerability to impact the salt
configuration that Qubes uses, and to undermine the security of dom0.
unman
tetra...@danwin1210.me
May 7, 2020, 7:27:30 AM5/7/20
to unman, qubes...@googlegroups.com
On Wed, May 06, 2020 at 02:17:15PM +0100, unman wrote:
>Salt is used to provision the qubes at initial install - I'd also argue
>that you *should* use salt to set up and control your templates and
>qubes, since it allows you to rebuild your system automatically. No more
>trying to remember what packages you installed in a template, or how you
>set up a particular qube.
That sounds excellent. I've never used Salt. Is there a writeup anywhere
>Salt is used to provision the qubes at initial install - I'd also argue
>that you *should* use salt to set up and control your templates and
>qubes, since it allows you to rebuild your system automatically. No more
>trying to remember what packages you installed in a template, or how you
>set up a particular qube.
explaining how to use it for setting up & controlling templates?
>In Qubes, by default, there is one minion, in dom0, which isn't
>networked. So there is no scope for this vulnerability to impact the salt
>configuration that Qubes uses, and to undermine the security of dom0.
Sven Semmler
May 7, 2020, 12:57:54 PM5/7/20
to tetra...@danwin1210.me, unman, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Wed, May 06, 2020 at 04:42:58PM +0000, tetrahedra via qubes-users wrote:
> On Wed, May 06, 2020 at 02:17:15PM +0100, unman wrote:
> > Salt is used to provision the qubes at initial install - I'd also argue
> > that you *should* use salt to set up and control your templates and
> > qubes, since it allows you to rebuild your system automatically. No more
> > trying to remember what packages you installed in a template, or how you
> > set up a particular qube.
>
> That sounds excellent. I've never used Salt. Is there a writeup anywhere
> explaining how to use it for setting up & controlling templates?
I agree. Personally I have a large amount of bash scripts in dom0 to
automate this but it's imperfect and requires still a lot of manual
interventions. I had a very brief look at the salt documentation, which
made clear to me that I have to take a larger amount of time with it and
maybe even buy a book about it. So that hasn't happened yet.
If there is a basic writeup out there with examples how to automate
tempalte setup for Qubes ... that would be really great.
/Sven
- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl60PgoACgkQ2m4We49U
H7ZYiw/8CEiWOpsDuf2MOrUy2kx/xn4MNtqenhYHIwmBWGbmL4pcFLPGjo5AxDX6
TgRASrhWLRwGzdBOsEnsggRePuPCHnsDQo0cGGsc3+2mDEhnvfv+7OTRwkQvb/2t
wCHlm60+i83/5G2YFEuhZiulR+BPpHievsG7FUvdm2Hra8fcorly+zJPdFyCN2vQ
bQnq38OYtWEZUNtef4Sh6WgLdXb+OPMMPa/cV9jg8DQz6YEhHGmSYcxmJLDI/faW
lcaNA4ojfrZGCzQrddPnZdlLytsJhE9NVkhngu9lbqIwwBmOzZbF7sMyZ2qnGhWb
JUFDvoQ09hyNKEBAZnXSRQyOyEUY8fJTcs7y/FWY6JULxeBNL5XVMrRmjJYp2KOe
bB1iTw1dS7+OWdWjVeprvSGg7Wj17YdLd5p9MP4/L7DXNTaM/Ftf2NGd9WRMRZOU
l2UnPjKH2SP/ZO3SBX5/Zb6CyyIasVLHnDaP9OdZWJWKQ7EG09l1n9K00/q7oBLO
a0qbT1sXhIWroLnW/yd+xWUMW1DLuSyp+utP/cD49DqCymT/XvK6SK5HA2RrpVYC
hQ64XGfxeti/5ArwIVutw19OXrth8hkguCl+EIhQbCy3ODRH4CtYvj5GtedcGk7V
p3XXSkMNbYxTQ2OH/6VG8oO7JzNbBVASmGtnTLqxukGgmer4EkU=
=cggt
-----END PGP SIGNATURE-----
Hash: SHA512
On Wed, May 06, 2020 at 04:42:58PM +0000, tetrahedra via qubes-users wrote:
> On Wed, May 06, 2020 at 02:17:15PM +0100, unman wrote:
> > Salt is used to provision the qubes at initial install - I'd also argue
> > that you *should* use salt to set up and control your templates and
> > qubes, since it allows you to rebuild your system automatically. No more
> > trying to remember what packages you installed in a template, or how you
> > set up a particular qube.
>
> That sounds excellent. I've never used Salt. Is there a writeup anywhere
> explaining how to use it for setting up & controlling templates?
automate this but it's imperfect and requires still a lot of manual
interventions. I had a very brief look at the salt documentation, which
made clear to me that I have to take a larger amount of time with it and
maybe even buy a book about it. So that hasn't happened yet.
If there is a basic writeup out there with examples how to automate
tempalte setup for Qubes ... that would be really great.
/Sven
- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl60PgoACgkQ2m4We49U
H7ZYiw/8CEiWOpsDuf2MOrUy2kx/xn4MNtqenhYHIwmBWGbmL4pcFLPGjo5AxDX6
TgRASrhWLRwGzdBOsEnsggRePuPCHnsDQo0cGGsc3+2mDEhnvfv+7OTRwkQvb/2t
wCHlm60+i83/5G2YFEuhZiulR+BPpHievsG7FUvdm2Hra8fcorly+zJPdFyCN2vQ
bQnq38OYtWEZUNtef4Sh6WgLdXb+OPMMPa/cV9jg8DQz6YEhHGmSYcxmJLDI/faW
lcaNA4ojfrZGCzQrddPnZdlLytsJhE9NVkhngu9lbqIwwBmOzZbF7sMyZ2qnGhWb
JUFDvoQ09hyNKEBAZnXSRQyOyEUY8fJTcs7y/FWY6JULxeBNL5XVMrRmjJYp2KOe
bB1iTw1dS7+OWdWjVeprvSGg7Wj17YdLd5p9MP4/L7DXNTaM/Ftf2NGd9WRMRZOU
l2UnPjKH2SP/ZO3SBX5/Zb6CyyIasVLHnDaP9OdZWJWKQ7EG09l1n9K00/q7oBLO
a0qbT1sXhIWroLnW/yd+xWUMW1DLuSyp+utP/cD49DqCymT/XvK6SK5HA2RrpVYC
hQ64XGfxeti/5ArwIVutw19OXrth8hkguCl+EIhQbCy3ODRH4CtYvj5GtedcGk7V
p3XXSkMNbYxTQ2OH/6VG8oO7JzNbBVASmGtnTLqxukGgmer4EkU=
=cggt
-----END PGP SIGNATURE-----
unman
May 8, 2020, 9:29:08 AM5/8/20
to qubes...@googlegroups.com
On Thu, May 07, 2020 at 11:57:46AM -0500, Sven Semmler wrote:
> On Wed, May 06, 2020 at 04:42:58PM +0000, tetrahedra via qubes-users wrote:
> > On Wed, May 06, 2020 at 02:17:15PM +0100, unman wrote:
> > > Salt is used to provision the qubes at initial install - I'd also argue
> > > that you *should* use salt to set up and control your templates and
> > > qubes, since it allows you to rebuild your system automatically. No more
> > > trying to remember what packages you installed in a template, or how you
> > > set up a particular qube.
> >
> > That sounds excellent. I've never used Salt. Is there a writeup anywhere
> > explaining how to use it for setting up & controlling templates?
>
> I agree. Personally I have a large amount of bash scripts in dom0 to
> automate this but it's imperfect and requires still a lot of manual
> interventions. I had a very brief look at the salt documentation, which
> made clear to me that I have to take a larger amount of time with it and
> maybe even buy a book about it. So that hasn't happened yet.
>
> If there is a basic writeup out there with examples how to automate
> tempalte setup for Qubes ... that would be really great.
>
I ran some training a few years back, and the notes are here:
> On Wed, May 06, 2020 at 04:42:58PM +0000, tetrahedra via qubes-users wrote:
> > On Wed, May 06, 2020 at 02:17:15PM +0100, unman wrote:
> > > Salt is used to provision the qubes at initial install - I'd also argue
> > > that you *should* use salt to set up and control your templates and
> > > qubes, since it allows you to rebuild your system automatically. No more
> > > trying to remember what packages you installed in a template, or how you
> > > set up a particular qube.
> >
> > That sounds excellent. I've never used Salt. Is there a writeup anywhere
> > explaining how to use it for setting up & controlling templates?
>
> I agree. Personally I have a large amount of bash scripts in dom0 to
> automate this but it's imperfect and requires still a lot of manual
> interventions. I had a very brief look at the salt documentation, which
> made clear to me that I have to take a larger amount of time with it and
> maybe even buy a book about it. So that hasn't happened yet.
>
> If there is a basic writeup out there with examples how to automate
> tempalte setup for Qubes ... that would be really great.
>
https://github.com/unman/notes/tree/master/salt
They start with the simplest use of `qubesctl`, and work up to quite
complex configurations, but should be easy to understand.
There are examples in (naturally) "examples".
For some real world cases look in notes/config.
unman
Manuel Amador (Rudd-O)
May 8, 2020, 12:01:40 PM5/8/20
to qubes...@googlegroups.com
Salt in Qubes OS does not use the Salt master. It is therefore unaffected by this issue.
I have now become accustomed to receiving notifications from
Qubes OS saying "XSA-xxx does not affect Qubes security". There
should be a similar one for the Salt CVE.
--
Rudd-O
http://rudd-o.com/
Manuel Amador (Rudd-O)
May 8, 2020, 12:02:05 PM5/8/20
to qubes...@googlegroups.com
No Salt master in Qubes -> no remoting exploit.
--
Rudd-O
http://rudd-o.com/
Sven Semmler
May 8, 2020, 2:42:24 PM5/8/20
to unman, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On Fri, May 08, 2020 at 02:29:02PM +0100, unman wrote:
> I ran some training a few years back, and the notes are here:
> https://github.com/unman/notes/tree/master/salt
>
> They start with the simplest use of `qubesctl`, and work up to quite
> complex configurations, but should be easy to understand.
> There are examples in (naturally) "examples".
>
> For some real world cases look in notes/config.
Thank you! This looks very promising, I'll work through it.
> I ran some training a few years back, and the notes are here:
> https://github.com/unman/notes/tree/master/salt
>
> They start with the simplest use of `qubesctl`, and work up to quite
> complex configurations, but should be easy to understand.
> There are examples in (naturally) "examples".
>
> For some real world cases look in notes/config.
/Sven
- --
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
-----BEGIN PGP SIGNATURE-----
H7befRAAnOhMqbgjrPuDKFHZIfEAPr6CCq8b3g/2W5rP7R7EjQYtl4IcPKcGVu5/
U0y1ZGaSTLIdlaeGPYNGiMKUOrGY/Rp1oTN1patFQr0CTZlfucjRohiS2hnoOwMM
6YXaHI5GLspekXBeXBEWmMVUQcUb8Q46rNB7RmonAvESc7/Z4zJB6ODF68CBhXHW
SMx1JXz0v5xtKC7vm1M/JbS2m3+gbaJMCgr/mR9ueD98BvXlShQFxFhwUuVLQ5c0
6qviDxd0/rGXoDCkUQrhFHe8OW3Jkrwh1ZonarInxYd9FJrIIQroxNGQA2oceOrI
84lYtcTgyg/pqxZKVFgFDAFHt0705Gwl87vR8i337JfJDUE6MyYOmFw7U01/S1Pq
OyvcRg5fcPCg6yyFTao1ChwhVim8UCFZ2rm0bwveG906Iq+sCbFSie2ACZ0+MNvs
jAZHBeSdApMmQ9VOkUqEbaq4/ssF3RpIn1aCublX8P8c5mWUOcCwjZYp/M5hAqfI
XvFFfN4AhRol/+k2Z6bhgrF8UYEIqyOaISh9na3+uhEez9S0OepRGBpbBuZV8NiJ
5oQGEGomAnZfo3ztRrIJesugz75dOkzlR/m5LOihIEgt3wMUGjz99neFPEhcZB35
RXSXH1xSNeOKx1y8SRiomzSE06vn23wgE5224jHSV+62XkuZ5OM=
=A+k9
-----END PGP SIGNATURE-----
tetra...@danwin1210.me
May 15, 2020, 2:14:52 PM5/15/20
to unman, qubes...@googlegroups.com
On Fri, May 08, 2020 at 02:29:02PM +0100, unman wrote:
>> If there is a basic writeup out there with examples how to automate
>> tempalte setup for Qubes ... that would be really great.
>>
>
>I ran some training a few years back, and the notes are here:
>https://github.com/unman/notes/tree/master/salt
Thanks!
>> tempalte setup for Qubes ... that would be really great.
>>
>
>I ran some training a few years back, and the notes are here:
>https://github.com/unman/notes/tree/master/salt
Reply all
Reply to author
Forward
0 new messages