Qubes OS 30 Published by

A Linux netback driver security update has been released for Qubes OS.

             ---===[ Qubes Security Bulletin 092 ]===---


           Buffer overrun in Linux netback driver (XSA-432)

User action required

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.1, in dom0:
  - Linux kernel packages (kernel*-qubes-vm), versions 6.1.43, 6.4.8,

  For Qubes 4.2, in dom0:
  - Linux kernel packages (kernel*-qubes-vm), versions 6.1.43, 6.4.8

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Service qubes that provide network access (such as sys-net,
sys-firewall, sys-whonix, and VPN qubes) must be restarted afterward in
order for the updates to take effect.

By default, all qubes use a kernel provided by dom0. However, advanced
users may opt to modify a given qube so that it uses an in-qube kernel
instead. [3] In such cases, the fixes contained in the kernel packages
listed above will not apply. Instead, any fix would have to come from
the upstream organization responsible for the distribution running in
that qube. If and when the relevant upstream organization makes such a
fix available, a normal update [2] should be sufficient to apply it. The
Qubes security team has no control over this process, as it concerns the
operations of independent organizations. Those who use in-qube kernels
may wish to consider temporarily switching to a dom0-provided kernel.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Linux binaries.


On 2023-08-08, the Xen Project published XSA-432, "Linux: buffer
overrun in netback due to unusual packet" [4]:

| The fix for XSA-423 added logic to Linux'es netback driver to deal
| with a frontend splitting a packet in a way such that not all of the
| headers would come in one piece.  Unfortunately the logic introduced
| there didn't account for the extreme case of the entire packet being
| split into as many pieces as permitted by the protocol, yet still
| being smaller than the area that's specially dealt with to keep all
| (possible) headers together.  Such an unusual packet would therefore
| trigger a buffer overrun in the driver.
| An unprivileged guest can cause Denial of Service (DoS) of the host by
| sending network packets to the backend, causing the backend to crash.
| Data corruption or privilege escalation seem unlikely but have not
| been ruled out.


An attacker who manages to compromise a network-connected qube could
attempt to exploit the vulnerability described in this bulletin in order
to attack the service qube (such as sys-net, sys-firewall, sys-whonix,
or a VPN qube) that provides network access to the compromised qube. The
Qubes security team believes that such an attack is unlikely to succeed
and that this vulnerability is not likely to be exploitable beyond
causing a crash. However, if such an attack were successful, it would
allow the attacker to execute arbitrary code in the service qube,
potentially bypassing the restrictions that such service qubes normally
impose. For example:

- An attacker in control of sys-firewall could bypass the firewall rules
  that sys-firewall normally enforces for the qubes connected to it.
- An attacker in control of sys-whonix could bypass Tor, emit clearnet
  traffic, and learn the machine's real public IP address.
- An attacker in control of a VPN qube could observe and modify the
  network traffic of other qubes that are connected to it -- traffic
  that the VPN would normally protect.
- An attacker in control of sys-net could gain direct access to attached
  PCIe devices.


See the original Xen Security Advisory.


[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://www.qubes-os.org/doc/managing-vm-kernels/
[4] https://xenbits.xen.org/xsa/advisory-432.html

The Qubes Security Team