QSB #050: Reinstalling a TemplateVM does not reset the private volume
31 views
Skip to first unread message
Andrew David Wong
Jul 25, 2019, 12:14:34 AM7/25/19
to qubes-a...@googlegroups.com, qubes...@googlegroups.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Qubes Community,
We have just published Qubes Security Bulletin (QSB) #050: Reinstalling
a TemplateVM does not reset the private volume. The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).
View QSB #050 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt
Learn about the qubes-secpack, including how to obtain, verify, and read it:
https://www.qubes-os.org/security/pack/
View all past QSBs:
https://www.qubes-os.org/security/bulletins/
```
---===[ Qubes Security Bulletin #50 ]===---
2019-07-24
Reinstalling a TemplateVM does not reset the private volume
Description
===========
In Qubes OS, we have the ability to reinstall a TemplateVM by running
`qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1]
This is supposed to reset the corresponding TemplateVM to the state of
the published package, i.e., no local changes should remain.
One uncommon reason to perform such a reinstallation is that you suspect
that a TemplateVM may be compromised. In such cases, it is very
important that no local changes persist in order to ensure that the
TemplateVM is no longer compromised.
Due to a regression in R4.0 [2], however, reinstalling a TemplateVM
using qubes-dom0-update does not completely reset all local changes to
that TemplateVM. Although the tool itself and our documentation claim
that the private volume of the TemplateVM is reset during
reinstallation, the private volume does not actually get reset. This
could allow a TemplateVM to remain compromised across a reinstallation
of that TemplateVM using qubes-dom0-update.
Workaround
==========
Fixed packages are forthcoming. In the meantime, we recommend avoiding
the qubes-dom0-update method of reinstalling a TemplateVM. Instead, we
recommend manually removing the TemplateVM, then installing it again.
Detailed instructions for this manual method are documented here:
https://www.qubes-os.org/doc/reinstall-template/#manual-method
(Note that we have updated this page with a warning against the
automatic method.)
Patching
=========
We expect to have fixed packages available next week. In the meantime,
please follow the workaround described in the previous section. We will
update this QSB when fixed packages are available.
Credits
========
Thank you to Andrey Bienkowski <hexagonr...@gmail.com> for
discovering and reporting this issue.
References
===========
[1] https://www.qubes-os.org/doc/reinstall-template/
[2] https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192
- --
The Qubes Security Team
https://www.qubes-os.org/security/
```
This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/07/24/qsb-050/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl05LEEACgkQ203TvDlQ
MDCA2Q//SBZ/v5eDrOauzdvQcqpgDJHGZyT34b1POcu8u4iAFWXBrnBSYgefDN0d
uMoxcZOy+q+GCy9r176MWl17m1td3ev/WnSgCwcUnDvegC2jLacixqMuoVxXDW3A
6Mvu/Ui73O7bh3fAemoRHP7ts4ZKCZ9LGWEcIzlzR+Sg6jYDLC2sg3xRhp+G1GLX
Jduisn0ZnsTOGAgPnt0MZarn2MXoQt6A+6IwbN5g48Y/2anjiwz45Etkl9y2XTQZ
kfWelmuraf+adKrbqEjYEapl6ARuPsuoR1rb3sSEqVApHZY1syfAioLNHbOfRrmW
oqNPK/GnkOo7wWXyymZPQDDXor6GojYrLbocUcI+KcObiFnGEeqzzRp+s9lm641t
cXHdk+309U1H+z7DRKWeeGW2UZ39hof14bxemWqQnIaLYn0flOX15ke8DANDh9dF
7BRDyTuoFBqOy3W8Ab1iJoVi5ZhyNDOOmzXzkvqyP0lzAtX2AtJlXWUGMIAo+Pqp
z6JH3qXbpBZgJb71qIOU85Eb9FfYgseQa9y2msswiGCh/xpv+/il7WP577/w/FKr
GzV/h2Bw/QTcFj+nLMCnCVF0RZ8XwZ9wz6p/Qy4DxYseNyV0C4efv0zrErzX9a4x
/Ug8jcexTq96sawNTCLVIiIIdAtsIy3y7NCDQtjswiIxVCZKMcQ=
=5Wik
-----END PGP SIGNATURE-----
Hash: SHA512
Dear Qubes Community,
We have just published Qubes Security Bulletin (QSB) #050: Reinstalling
a TemplateVM does not reset the private volume. The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).
View QSB #050 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt
Learn about the qubes-secpack, including how to obtain, verify, and read it:
https://www.qubes-os.org/security/pack/
View all past QSBs:
https://www.qubes-os.org/security/bulletins/
```
---===[ Qubes Security Bulletin #50 ]===---
2019-07-24
Reinstalling a TemplateVM does not reset the private volume
Description
===========
In Qubes OS, we have the ability to reinstall a TemplateVM by running
`qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1]
This is supposed to reset the corresponding TemplateVM to the state of
the published package, i.e., no local changes should remain.
One uncommon reason to perform such a reinstallation is that you suspect
that a TemplateVM may be compromised. In such cases, it is very
important that no local changes persist in order to ensure that the
TemplateVM is no longer compromised.
Due to a regression in R4.0 [2], however, reinstalling a TemplateVM
using qubes-dom0-update does not completely reset all local changes to
that TemplateVM. Although the tool itself and our documentation claim
that the private volume of the TemplateVM is reset during
reinstallation, the private volume does not actually get reset. This
could allow a TemplateVM to remain compromised across a reinstallation
of that TemplateVM using qubes-dom0-update.
Workaround
==========
Fixed packages are forthcoming. In the meantime, we recommend avoiding
the qubes-dom0-update method of reinstalling a TemplateVM. Instead, we
recommend manually removing the TemplateVM, then installing it again.
Detailed instructions for this manual method are documented here:
https://www.qubes-os.org/doc/reinstall-template/#manual-method
(Note that we have updated this page with a warning against the
automatic method.)
Patching
=========
We expect to have fixed packages available next week. In the meantime,
please follow the workaround described in the previous section. We will
update this QSB when fixed packages are available.
Credits
========
Thank you to Andrey Bienkowski <hexagonr...@gmail.com> for
discovering and reporting this issue.
References
===========
[1] https://www.qubes-os.org/doc/reinstall-template/
[2] https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192
- --
The Qubes Security Team
https://www.qubes-os.org/security/
```
This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/07/24/qsb-050/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl05LEEACgkQ203TvDlQ
MDCA2Q//SBZ/v5eDrOauzdvQcqpgDJHGZyT34b1POcu8u4iAFWXBrnBSYgefDN0d
uMoxcZOy+q+GCy9r176MWl17m1td3ev/WnSgCwcUnDvegC2jLacixqMuoVxXDW3A
6Mvu/Ui73O7bh3fAemoRHP7ts4ZKCZ9LGWEcIzlzR+Sg6jYDLC2sg3xRhp+G1GLX
Jduisn0ZnsTOGAgPnt0MZarn2MXoQt6A+6IwbN5g48Y/2anjiwz45Etkl9y2XTQZ
kfWelmuraf+adKrbqEjYEapl6ARuPsuoR1rb3sSEqVApHZY1syfAioLNHbOfRrmW
oqNPK/GnkOo7wWXyymZPQDDXor6GojYrLbocUcI+KcObiFnGEeqzzRp+s9lm641t
cXHdk+309U1H+z7DRKWeeGW2UZ39hof14bxemWqQnIaLYn0flOX15ke8DANDh9dF
7BRDyTuoFBqOy3W8Ab1iJoVi5ZhyNDOOmzXzkvqyP0lzAtX2AtJlXWUGMIAo+Pqp
z6JH3qXbpBZgJb71qIOU85Eb9FfYgseQa9y2msswiGCh/xpv+/il7WP577/w/FKr
GzV/h2Bw/QTcFj+nLMCnCVF0RZ8XwZ9wz6p/Qy4DxYseNyV0C4efv0zrErzX9a4x
/Ug8jcexTq96sawNTCLVIiIIdAtsIy3y7NCDQtjswiIxVCZKMcQ=
=5Wik
-----END PGP SIGNATURE-----
Chris Laprise
Jul 25, 2019, 11:23:32 AM7/25/19
to qubes...@googlegroups.com, Andrew David Wong
On 7/25/19 12:12 AM, Andrew David Wong wrote:
> Due to a regression in R4.0 [2], however, reinstalling a TemplateVM
> using qubes-dom0-update does not completely reset all local changes to
> that TemplateVM. Although the tool itself and our documentation claim
> that the private volume of the TemplateVM is reset during
> reinstallation, the private volume does not actually get reset. This
> could allow a TemplateVM to remain compromised across a reinstallation
> of that TemplateVM using qubes-dom0-update.
I created an issue for this bug, and describe two ways to go about it:
> Due to a regression in R4.0 [2], however, reinstalling a TemplateVM
> using qubes-dom0-update does not completely reset all local changes to
> that TemplateVM. Although the tool itself and our documentation claim
> that the private volume of the TemplateVM is reset during
> reinstallation, the private volume does not actually get reset. This
> could allow a TemplateVM to remain compromised across a reinstallation
> of that TemplateVM using qubes-dom0-update.
https://github.com/QubesOS/qubes-issues/issues/5192
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Andrew David Wong
Aug 1, 2019, 9:40:25 PM8/1/19
to qubes-a...@googlegroups.com, qubes...@googlegroups.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Qubes Community,
Fixed packages are now available for Qubes Security Bulletin (QSB) #050:
Hash: SHA512
Dear Qubes Community,
Reinstalling a TemplateVM does not reset the private volume.
Instructions for installing the new packages are included in the latest
version of QSB #050, which is reproduced below.
View QSB #050 in the qubes-secpack:
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-050-2019.txt
Learn about the qubes-secpack, including how to obtain, verify, and read it:
https://www.qubes-os.org/security/pack/
View all past QSBs:
https://www.qubes-os.org/security/bulletins/
```
---===[ Qubes Security Bulletin #50 ]===---
Reinstalling a TemplateVM does not reset the private volume
========
2019-08-01: Added list of fixed packages and patching instructions
2019-07-24: Initial version
Description
============
In Qubes OS, we have the ability to reinstall a TemplateVM by running
`qubes-dom0-update --action=reinstall qubes-template-...` in dom0. [1]
This is supposed to reset the corresponding TemplateVM to the state of
the published package, i.e., no local changes should remain.
One uncommon reason to perform such a reinstallation is that you suspect
that a TemplateVM may be compromised. In such cases, it is very
important that no local changes persist in order to ensure that the
TemplateVM is no longer compromised.
Due to a regression in R4.0 [2], however, reinstalling a TemplateVM
using qubes-dom0-update does not completely reset all local changes to
that TemplateVM. Although the tool itself and our documentation claim
that the private volume of the TemplateVM is reset during
reinstallation, the private volume does not actually get reset. This
could allow a TemplateVM to remain compromised across a reinstallation
of that TemplateVM using qubes-dom0-update.
=========
The specific packages that resolve the problems discussed in this
bulletin are as follows:
For Qubes 4.0:
- qubes-core-admin-client, python3-qubesadmin version 4.0.26
The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:
For updates from the stable repository (not immediately available):
$ sudo qubes-dom0-update
For updates from the security-testing repository:
$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.
Workaround
===========
Independently of patching (see above), the following workaround is
available:
Rather than using the qubes-dom0-update method of reinstalling a
TemplateVM, you can instead manually remove the TemplateVM, then install
it again. Detailed instructions for this manual method are documented
here:
https://www.qubes-os.org/doc/reinstall-template/#manual-method
here:
https://www.qubes-os.org/doc/reinstall-template/#manual-method
Credits
========
Thank you to Andrey Bienkowski <hexagonr...@gmail.com> for
discovering and reporting this issue.
References
===========
[1] https://www.qubes-os.org/doc/reinstall-template/
[2] https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192
- --
The Qubes Security Team
https://www.qubes-os.org/security/
```
This announcement has also been updated on the Qubes website:
========
Thank you to Andrey Bienkowski <hexagonr...@gmail.com> for
discovering and reporting this issue.
References
===========
[1] https://www.qubes-os.org/doc/reinstall-template/
[2] https://github.com/QubesOS/qubes-core-admin-linux/commit/552fd062ea2bb6c2d05faa1e64e172503cacbdbf#diff-6b87ee5cdb9e63b703415a14e5a505cdL192
- --
The Qubes Security Team
https://www.qubes-os.org/security/
```
https://www.qubes-os.org/news/2019/07/24/qsb-050/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1DlG8ACgkQ203TvDlQ
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
MDCW3A//QM/K/q/AKQHGrKowA3fhPIkoDs8zhdZ1R/h2SFOkSrloTcyolvg3cnPj
OeUqSis+wroxPFJ8wQb6BSJjEqi9rp9FbYsmcv3sGm3kAdcdliNC4PalMtzEGQUT
1P2bC+9dz0Pegzsq+zjDXVX6d2ZoA+iyAzYkBy6f6q2fPLtmhx3dtjMe0lIS2+OH
fPTdYT7c3wRkWyA5VbFdSLFeNhlno9r+B1ppxqt5I3D0tTXy9+vgaueEr6TmhOov
Q1I5/iG8cUVZqOwBWg4PmixBnyipaDYTxPIcVuBJWwW2I3X4f3P6hmeKCY1HS2c3
mWor3+ygj9JJ4FYPwS73W0Y5e1Wsu+H7AovWfCrEwe2OLupdrHdllfCkv3aEV7HM
0typI2+6h5nH9de5KG+Mkysv+iCqmt1SjCUs/+cGoTiUnhRwAWMwIUQIhzRdIoDo
nZpb04IxOyPkk3bPsv6Q5kSZQrcvCfYvPwGexLJCclcWG37+ZOLlB74ohhhViAgI
MDAXqljdHUOZssA7u+BC814ndrQ2m/kAYiFKwt45y+qqVfHusdWXk24Tx45ohFmC
hGA8uCrutQKdKJjJjibBkQcbs9eL9VnhKuH1gdq70k5fB+CcpqsTo85sL2PIe84r
qYjHuQMD5KC7otTfw9YT3Gehul+YOLuTJDQHd3/y2opCoEaoJCI=
=yaT3
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages